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Intellectual Property Rights 



IPRs essential or potentially essential to the present document may have been declared to ETSI. The information 
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found 
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in 
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web 
server ( http://webapp.etsi.org/IPR/home.asp ). 

Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee 
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web 
server) which are, or may be, or may become, essential to the present document. 



Foreword 



This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and 
Infrastructures (ESI). 

The present document is part 1 of a multi-part deliverable covering provisions for secure and reliable implementation, 
management and assessment of long term information preservation systems, as identified below: 

TS 101 533-1: "Requirements for Implementation and Management"; 

TR 101 533-2: "Guidelines for Assessors". 



Acknowledgment 
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Introduction 

In the light of EU-wide implementation of Directive 2006/123/EC [i.25], article 26, EUMS are required to "take 
accompanying measures to encourage providers to take action on a voluntary basis in order to ensure the quality of 
service provision". This will be accomplished through certification, assessment or by means of compUance with quality 
charters. 

Among the service providers addressed by this Directive are also Information Preservation Service Providers, especially 
in the fiscal area, where the stored document owner, i.e. the taxpayer, is held responsible towards the Authority for the 
document exhibition even when it resorts to a service provider. 

Article 17(2) of Directive 95/46/EC [i.29] states that "The Member States shall provide that the controller must, where 
processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical 
security measures and organizational measures governing the processing to be carried out, and must ensure compliance 
with those measures". 

In the light of the above mentioned EU Directives the purpose of the present document is to provide a common, 
objective and reliable basis for preservation service providers to implement, manage, and for Assessors to assess, secure 
Information Preservation Systems, meeting the information security related quality addressed by the above mentioned 
EU Directive 2006/123/EC [i.25]. 

Conversely, nothing is specified, neither in the present document nor in its sister TR 101 533-2 [i.24], on the auditors' 
qualification, as the currently existing documentation, in particular ISO/IEC 17021 [i.4], provide an official and 
exhaustive set of provisions. 

The present document is based on TS 102 573 [3], all provisions of which apply except where otherwise specified, and 
provides additional security and reliability measures that, in turn, are based on the ISO/IEC 27000 [i.26] family, more 
in particular on ISO/IEC 27001 [1] and ISO/EEC 27002 [2]. 
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The present document structure therefore matches that of TS 102 573 [3] and consequently, where applicable, the 
structure of ISO/lEC 27001 [1]. 

Provisions of the present document can be used by implementers and managers of Information Preservation Systems 
aiming to provide Information Preservation Services recognised as valid wherever the present document is endorsed, 
possibly by the applicable legislation. 
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Scope 



The present document addresses the Information Security Management System of Information Preservation Systems, by 
specifying Security requirements for Information Preservation Service Providers to abide by, when implementing and 
managing an IPS, in order to provide Information Preservation Services that are trustable and reliable from the 
Information Security viewpoint. 

Sister document TR 101 533-2 [i.24] provides recommendations on how to assess electronic information preservation 
services against the provisions specified in the present document. 

These measures are based on provisions of ISO/IEC 27001 [1], ISO/IEC 27002 [2] and TS 102 573 [3], enhancing them 
where necessary. 

The present document does not address specific document management related issues that are addressed by a number of 
ISO standards, such as ISO 14721 [i.5], ISO/IEC 15489 [i.l7], ISO 23081 [i.27] and, more in general, those dealt with 
by ISO/TC 46/SCl 1 which the reader of the present document should refer to. 

NOTE The present document and its sister document TR 101 533-2 [i.24] can be referred to by various archival 
management standards and standard families as a complementary and detailed set of specifications 
through which a reliable Information Security Management System can be implemented, managed and 
assessed, as regards the Information Preservation peculiarities. 



2 References 

References are either specific (identified by date of publication and/or edition number or version number) or 
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the 
reference document (including any amendments) applies. 

Referenced documents which are not found to be publicly available in the expected location might be found at 
http://docbox.etsi.org/Reference . 

NOTE: While any hyperlinks included in this clause were vaUd at the time of publication ETSI cannot guarantee 
their long term validity. 

2.1 Normative references 

The following referenced documents are necessary for the application of the present document. 

[1] ISO/IEC 27001: "Information technology — Security techniques — Information security 

management systems - Requirements". 

[2] ISO/IEC 27002: "Information technology — Security techniques — Code of practice for 

information security management". 

[3] ETSI TS 102 573: "Electronic Signatures and Infrastructures (ESI); Policy requirements for trust 

service providers signing and/or storing data for digital accounting". 

2.2 Informative references 

The following referenced documents are not necessary for the application of the present document but they assist the 
user with regard to a particular subject area. 

[i.l] BS 25999-1:2006: "Business continuity management - Part 1: Code of practice". 

[i.2] ISO/IEC 27005: "Information technology — Security techniques — Information security risk 

management" . 

[i.3] ISO/IEC 9594-8: "Information technology - Open Systems Interconnection - The Directory: 

PubUc-key and attribute certificate frameworks". 
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i.4] ISO/IEC 17021: "Conformity assessment — Requirements for bodies providing audit and 

certification of management systems". 

.5] ISO 14721: "Space data and information transfer systems - Open archival information system - 

Reference model". 

.6] ISO/lEC 13335-1:2004: "Information technology - Guidelines for the management of IT Security - 

Part 1 : Concepts and models for information and communications technology security 
management" . 

.7] ETSI TS 101 456: "Electronic Signatures and Infrastructures (ESI); Policy requirements for 

certification authorities issuing qualified certificates". 

.8] ETSI TS 102 042: "Electronic Signatures and Infrastructures (ESI); Policy requirements for 

certification authorities issuing public key certificates". 

.9] ETSI TS 102 231: "Electronic Signatures and Infrastructures (ESI); Provision of harmonized 

Trust-service status information". 

.10] ETSI TS 101 733: "Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic 

Signatures (CAdES)". 

.11] ETSI TS 101 903: "Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic 

Signatures (XAdES)". 

.12] ETSI TS 102 778: "Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic 

Signature Profiles". 

.13] CWA 14170: "Security requirements for signature creation applications". 

.14] CWA 14171: "General Guidelines for Electronic Signature Verification". 

.15] IETF RFC 2560: "X.509 Internet Public Key Infrastructure Certificate Status Protocol - OCSP". 

.16] IETF RFC 3161: "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)". 

.17] ISO/IEC 15489:2001: "Information and documentation - Records management". 

.18] ISO/IEC 20000 (parts 1 to 3): "Information technology — Service management (Part 1 "Service 

management system requirements", Part 2 "Part 2: Code of practice", Part 3 "Guidance on scope 
definition and applicability of ISO/IEC 20000-1"). 

.19] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a 

Community Framework for electronic signatures. 

.20] NIST SP 800-94: "Guide to intrusion detection and Prevention Systems (IDPS)". 

.21] FIPS 197: "Specification for Advanced Encryption Standard (AES)". 

.22] IETF RFC 3647: "Internet X.509 Public Key Infrastructure. Certificate Policy and Certificate 

Practices Framework". 

.23] ISO 9000:2005: "Quality management systems — Fundamentals and vocabulary". 

.24] ETSI TR 101 533-2: "Electronic Signatures and Infrastructures (ESI) Information Preservation 

Systems Security Part 2: Guidelines for Assessors". 

.25] Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on 

services in the internal market. 

.26] ISO/IEC 27000: "Information technology — Security techniques — Information security 

management systems — Overview and vocabulary". 

.27] ISO 23081 (all parts): "Information and documentation — Records management processes — 

Metadata for records". 

.28] IETF RFC 4998: "Evidence Record Syntax (ERS)". 
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[i.29] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the 

protection of individuals with regard to the processing of personal data and on the free movement 
of such data. 

[i.30] ITU-R Recommendation TF.460: "Standard-frequency and time-signal emissions". 

[i.3 1 ] Council Directive 2006/1 12/EC of 28 November 2006 on the common system of value added tax. 

[i.32] ETSI TS 102 640: "Electronic Signatures and Infrastructures (ESI); Registered Electronic Mail 

(REM)". 

[i.33] ANSI X9. 17: "Financial Institution Key Management (Wholesale)". 

[i.34] ETSI TS 102 176: "Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for 

Secure Electronic Signatures". 

[i.35] Commission of the European Communities COM(2009) 324: "Modernising ICT Standardisation in 

the EU - The Way Forward". 

[i.36] FIPS SP 800-90: "Specification Recommendation for Random Number Generation Using 

Deterministic Random Bit Generators". 



3 Definitions and abbreviations 

3.1 Definitions 

For the purposes of the present document, the terms and definitions given in TS 102 573 [3] and the following apply: 

access: right, opportunity, means of finding, using, or retrieving information 

NOTE: See ISO/IEC 15489 [i.l7]. 

activation data: data values, other than keys, that are required to operate cryptographic modules and that need to be 
protected (e.g. a PIN, a passphrase, or a manually-held key share) 

NOTE: See RFC 3647 [i.22]. 

Advanced Electronic Signature (AdES): electronic signature which meets the following requirements: 

• it is uniquely linked to the signatory; 

• it is capable of identifying the signatory; 

• it is created using means that the signatory can maintain under his sole control; and 

• it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; 

NOTE: Directive 1999/93/EC [i.l9], article 2(2). 

analog document: document formed based on a method of measurement in which data is represented by continuously 
changing quantity, like tracks on paper (e.g. paper documents), like images on film (e.g. radiographs, microfiche, 
microfilm), like magnetic recordings on tape (e.g. audio e video magnetic cassettes and tapes) 

assessor: any physical or legal person performing an assessment on the facilities used by the IPSP to provide its 
Electronic Information Preservation Services, with the purpose to ascertain the IPSP compliance with the present 
document provisions 

NOTE: Unless differently specified, association to an official auditing entity is not implied. 

asset: anything that has value to the organization 

NOTE 1: See ISO/IEC 13335-1 [i.6]. 
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NOTE 2: Although the documents entrusted to the IPSP by its customers are not part of its tangible assets that are 
listed in the IPSP general ledger, they match this definition of "asset". In fact any damage to, or loss of, 
such documents will make the IPSP liable to pay indemnities to the documents legitimate owners. 
Additionally, such mishaps will tarnish the IPSP image that is mentioned in ISO/IEC 27002 [2], 
clause 7.1.1, letter f) among intangibles assets: "reputation and image of the organization". Therefore 
these documents are to be dealt as assets. 

asset owner: individual or entity that has approved management responsibility for controlling the production, 
development, maintenance, use and security of the assets 

NOTE: The term 'owner' does not mean that the person actually has any property rights to the asset 
(ISO/IEC 27002 [2], clause 7.1.2, footnote 2) 

applicability statement: See Statement of ApplicabiUty. 

audit trail: set of audit records each referable to a precise point in time and containing evidence pertaining to and 
resulting from the execution of a process or system function 

auditable: suitable to allow a smooth and exhaustive auditing process 

EXAMPLE: A computing procedure should record an audit track; a procedure performed by humans should 
require them to record the performed steps. 

certificate: See Public Key Certificate. 

Certificate Policy (CP): named set of rules that indicates the applicability of a certificate to a particular community 
and/or class of application with common security requirements 

NOTE: See ISO/IEC 9594-8 [i.3]. 

Certification Authority (CA): authority trusted by one or more users to create and assign public-key certificates 

NOTE: See ISO/IEC 9594-8 [i.3]. 

certification practice statement: statement of the practices that a Certification Authority employs in issuing 
certificates 

NOTE: See ISO/IEC 9594-8 [i.3]. 

Certification-Service Provider (CSP): an entity or a legal or natural person who issues certificates or provides other 
services related to electronic signatures 

NOTE: See Directive 1999/93/EC [i. 19], article 2(11). 

closure evidence: metadata suitable to provide evidence of integrity of the related set of information preserved in a 
certain time period 

NOTE 1 : The proof of integrity is provided by means of an auditable mechanism (e.g. QES/AdES) supported by a 
reliable time reference (e.g. a TST or a REM reference), or a TST supported by an audit trail suitable to 
identify who requested the TST itself. 

NOTE 2: The closure evidence structure is not specified in the present document (examples of closure evidence can 
be: LTANS Evidence Record Syntax as specified in RFC 4998 [i.28]) 

controller: natural or legal person, public authority, agency or any other body which alone or jointly with others 
determines the purposes and means of the processing of personal data (Directive 95/46/EC [i.29], article 1, letter d)) 

Coordinated Universal Time (UTC): time scale based on the second as defined in ITU-R Recommendation 
TF.460 [i.30] 

customer: See subscriber. 

delegated signer: person who is formally delegated the responsibility to issue AdES on behalf of the IPSP 

NOTE: This person can be either an IPSP employee or an external provider, where legally valid. 

document: information that can be treated as a unit and is meaningful at least to its owner 
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[Electronic] Information Preservation Service (IPS): service to which information, among which documents, is 
entrusted in an agreed form (digital or analog) for being securely kept in digital form for a period of time specified in 
the applicable agreement; this service is expected to be able to exhibit all preserved information at any moment during, 
or at the end of, the preservation period 

format conversion: process by which one or more preserved document is transposed from one digital representation to 
another while maintaining its original semantics 

information/document owner: legal or natural person that has legitimate ownership of the deposited data 

information depositor: any entity responsible for depositing information at an IPSP on behalf of the IPSP subscriber, 
upon a specific agreement with this IPSP 

NOTE 1 : The information depositor may coincide with the information owner and/or with the subscriber. 

NOTE 2: There may be one or more depositors for the same IPSP subscriber, for example where the subscriber is 
structured in several departments, each independently depositing its own information. 

Information Preservation System (IPS): set of hardware, software, policies, procedures, guidelines, practices, 
physical and organizational infrastructures aiming to ensure electronic information preservation for at least the period of 
time specified in the applicable agreements; the organizational infrastructures can be of administrative, technical, 
management, or legal nature 

Information Security Management System (ISMS): that part of the overall management system, based on a business 
risk approach, to establish, implement, operate, monitor, review, maintain and improve information security 

NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, 
practices, procedures, processes and resources (ISO/IEC 27001 [1]). 

information security policy: document that may contain the principles and directives specific to the protection of 
information that is sensitive or valuable, or otherwise of importance, to the organization 

NOTE: Principles contained therein will be derived from, and thus consistent with, the principles of the corporate 
security poHcy (ISO/IEC 13335-1 [i.6], clause 4.2). 

intrusion detection system: system that automates the process of monitoring the events occurring in a computer 
system or network and analyzing them for signs of possible incidents 

NOTE: See NIST SP 800-94 [i.20]. 

invocation: act of declaring that an organisation's business continuity plan needs to be put into effect in order to 
continue delivery of key product or services 

NOTE: See BS 25999-1 [i.l]. 

long term: period of time long enough for there to be concern about the impacts of changing technologies, including 
support for new media and data formats, and of a changing user community, on the information being held in a 
repository 

NOTE: This period extends into the indefinite future (ISO 14721 [i.5]). 

metadata: data describing context, content and structure of records and their management through time, also including 
indexing information for retrieval 

NOTE: ISO/IEC 15489 [i. 17] with modification. 

outsourcers: organisations providing the IPSP with services related to its IPS 

owner: See Asset Owner and Information/Document Owner. 

personal data: any information relating to an identified or identifiable natural person ('data subject') 

NOTE: An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an 
identification number or to one or more factors specific to his physical, physiological, mental, economic, 
cultural or social identity (Directive 95/46/EC [i.29], article 2, letter a). 
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presentation corruption agent: any code contained in a document, suitable to surreptitiously modify the document 
presentation without changing its binary content 

NOTE: Examples of Presentation Corruption Agent are: macros, hidden executable code, hidden or difficult to 
detect worksheet formulas, hidden document type tags that are ignored by the originally intended 
presenting application but that can be recognised if the document is opened with different applications. 

preservation: act of maintaining information, in a correct and independently understandable form, possibly over the 
Long Term 

NOTE: See ISO 14721 [i.5] with changes. 

preservation set: set of information preserved in a certain period of time including the related receipts 

processor: natural or legal person, public authority, agency or any other body which processes personal data on behalf 
of the controller 

NOTE: Directive 95/46/EC [i.29], article 2, letter e). 

Public Key Certificate (PKC): public key of a user, together with some other information, rendered unforgeable by 
digital signature with the private key of the certification authority which issued it (ISO/IEC 9594-8 [i.3]) 

Qualified Certificate (QC): certificate which meets the requirements laid down in annex I of the Directive 
1999/93/EC [i.l9] and is provided by a certification-service-provider who fulfils the requirements laid down in annex II 
of the same Directive 1999/93/EC [i.l9] 

Qualified Electronic Signature (QES): advanced electronic signature that meets the requirements as in 

Directive 1999/93/EC [i.l9], article 5(1): is based on a qualified certificate and is created by a secure-signature-creation. 

readability (document readability): possibility for a document to be visually read by human beings and/or to be 
machine processed 

record: See document. 

responsible [for preservation]: natural person who is in charge of the Preservation system 

sensitive data/information: See special categories of data. 

Secure Signature Creation Device (SSCD): signature-creation device which meets the requirements laid down in 
annex III of Directive 1999/93/EC [i.l9], article 2(6) 

Signature Creation Data (SCD): unique data, such as codes or private cryptographic keys, which are used by the 
signatory to create an electronic signature 

NOTE: See Directive 1999/93/EC [i. 19], article 2(5). 

Signature Creation Device: configured software or hardware used to implement the signature-creation data 

NOTE: See Directive 1999/93/EC [i.l9] article 2(5). 

special categories of data/information: personal data revealing racial or ethnic origin, political opinions, religious or 
philosophical beliefs, trade-union membership and data concerning health or sex life 

NOTE: See Directive 95/46/EC [i.29], artcile 8(1). 

NOTE: Data that are neither sensitive nor judicial data, but whose processing may jeopardize the data subjects' 
fundamental rights, freedoms and dignity, are to be dealt with as "Special categories of data". 

Statement of Applicability (SOA): documented statement describing the control objectives and controls that are 
relevant and appUcable to the IPSP ISMS 

NOTE: See ISO/IEC 2700 1 [ 1 ] . 

storage logical unit: storage unit that can be managed by the IPS service as self consistent 
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subscriber: entity that accepts an agreement on depositing information at the IPSP 

NOTE: This entity can be a legal or natural person or a different department of the organisation the IPSP belongs 
to. The agreement can be endorsed either explicitly, e.g. by undersigning contracts, or implicitly, 
e.g. when the relationship between subscriber and IPSP are governed by common rules, such as corporate 
poUcies when they are separate departments of the same organisation. 

system administrator: professional in charge of managing and servicing processing systems and/or of their 
components 

NOTE: The scope of this definition includes other professionals that can be equated in terms of data protection 
risks - such as database administrators, network and security equipment administrators, and the 
administrators of complex software systems. 

third party: 

a) Any natural or legal person, public authority, agency or any other body other than the data subject, the 
controller, the processor and the persons who, under the direct authority of the controller or the processor, are 
authorized to process the data (Directive 95/46/EC [i.29], artcile 2(f)). 

b) Any natural or legal person acting on behalf, and where applicable also in the name, of another natural or legal 
person, for example a taxable person, a customer, as in Directive 2006/1 12/EC [i.31]. 

c) Any natural or legal person who governs issuance and revocation, to one of more subjects, of qualified 
certificate. 

time-mark: information in an audit trail from a Trusted Service Provider that binds a representation of a datum to a 
particular time, thus establishing evidence that the datum existed before that time 

NOTE: See TS 101733 [i.lO]. 

time stamping authority: authority trusted by one or more users to provide a Time Stamping Service 

NOTE: See CWA 14171 [i.l4]. 

time stamp token: proof-of -existence for a datum at a particular point in time, in the form of a data structure signed by 
a Time Stamping Authority 

NOTE: See CWA 14171 [i.l4]. 

time stamping service: service that provides a trusted association between a datum and a particular point in time, in 
order to establish reliable evidence indicating the time at which the datum existed 

NOTE: See CWA 14171 [i.l4]. 

trading partner: natural or legal person that has trading relationships with the IPSP 

Trust Service Provider (TSP): body operating one or more (electronic) Trust Service 

NOTE: This term is used in preference of and with a broader application than the term 

Certification-Service-Provider (CSP) used in Directive 1999/93/EC [i.l9] (TS 102 231 [i.9]). 

unique [analog] original document: analog document existent in single instance, the semantics of which cannot be 
deduced from other documents of any kind, the preservation of which is required by the applicable legislation or rules 

3.2 Abbreviations 

For the purposes of the present document, the following abbreviations apply: 

AdES Advanced Electronic Signature 

BCP Business Continuity Plan 

CA Certification Authority 

CAdES CMS Advanced Electronic Signature 

COTS Commercial Off The Shelf 

CP Certificate Policy 
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CRL 

CSP 

DS 

BUMS 

ICT 

IPS 

IPS? 

ISMS 

ISPD 

OAIS 

OAIS 

OCSP 



Certificate Revocation List 

Certification-Service-Provider 

Delegated Signer 

European Union Member State 

Information and Communications Technology 

[Electronic] Information Preservation System 

Information Preservation Services Provider 

Information Security Management System 

Information Security Policy Document 

Open Archival Information System 

Open Archival Information System 

Online Certificate Status Protocol 



NOTE: See RFC 2560 [i.l5]. 

PAdES PDF Advanced Electronic Signature 

PCA Presentation Corruption Agent 

PIN Personal Identification Number 

QC Qualified Certificate 

QES Qualified Electronic Signature 

REM Registered E-Mail 

NOTE: As per TS 102 640 [i.32]. 

SCD Signature Creation Data 

SoA Statement of Applicability 

SSCD Secure Signature Creation Device 

TSP Trust Service Provider 

TST Time Stamp Token 

UTC Coordinated Universal Time 

XAdES XML Advanced Electronic Signature 

XML extensible Markup Language 



Overview 



The present document implies the compliance by any IPSP that implements its provisions with ISO/IEC 27001 [1], 
against which this IPSP is recommended to be certified. Certification against ISO 9000 [i.23] and ISO/IEC 20000 [i.l8] 
is also recommended. 

In particular IPSPs are expected to comply with the ISO/IEC 20000 [i.l8] specifications, since abidance by this 
ISO/IEC standard would, in fact, improve their capability: 

1) to go out to tender for their services; 

2) to provide a consistent approach by their outsourced service providers; 

3) to demonstrate their ability to meet customer requirements; 

4) to improve the services they provide. 

The present document is based on TS 102 573 [3] and specifies additional security and reliability measures for the 
Electronic Information Preservation Service Providers (IPSP), specifically addressing the potential risks associated with 
information preservation, possibly in the long term. The mentioned TS 102 573 [3] is based on, and consistent with, 
ISO/IEC 27001 [1] and ISO/IEC 27002 [2], with which the present document is also consistent. In particular, in Annex 
A, where necessary, are indicated additional requirements and/or the ISO/IEC 27002 [2] requirements that do not apply. 

The long term preservation validity should be assured by using mechanisms suitable to achieve at least the following 
purposes: 

a) Ensure the integrity of the whole of the preserved information; it would be necessary to make it possible at 

least to subsequently identify if, and which, pieces of the preserved information have been modified, deleted or 
added; 
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NOTE 1 : The whole of the information can be divided in smaller sets, based on different criteria: time, topics, etc. 

b) Ensure the accountability of the preserved information integrity by creating a reliable audit trail; this is of 
paramount importance because by assigning the preservation responsibility to one or more specific officer 
adds trust to the entire preservation cycle. 

NOTE 2: To achieve the above goals Advanced Electronic Signatures can be used, in any of their strains such as 
CAdES, XAdES, PAdES, QES, etc., as well as other suitable mechanisms, like TSTs issued by trusted 
TSAs and supported by a suitable audit trail. 

The outcome of a Risk Assessment shall be taken into account by an IPSP when implementing the measures and 
controls included in the present document. The Risk Assessment outcome shall be made available also to the assessor 
that is expected to assess the IPSP according to TR 101 533-2 [i.24]. 

The Risk Assessment should be performed having as reference ISO/IEC 27005 [i.2] and shall take into account all risks 
associated to managing the information entrusted to the IPSP by its customers. Provisions on loss and damages are 
addressed in clause 5.1.1. 

The present document may be used to implement the information security related issues within the broader scope of the 
Open Archival Information System (OAIS), as addressed by ISO 14721 [i.5] and ISO/IEC 15489 [i.l7]. 

Some issues of the present document can also be addressed by other publicly available specifications or standards. In 
this case implementers shall indicate in their Statement of Applicability (SoA) for each single item what specific 
provisions they do comply with (for further information on SoA, see clause 4.3). 

4.1 Preservation Service types 

The present document specifies: 

1) the Core Information Preservation Service each IPSP shall implement; 

2) a number of Extended Services that an IPSP may provide. 
In the present document are indicated: 

1) the functions to be implemented by an IPSP in order to provide the mandatory Core Information Preservation 
Service; these Core Services are marked [CORE]; 

2) the functions to be implemented for each Information Preservation Extended Service provided by the IPSP; 
these Extended Services are marked [EXT]. 

Other services and/or functions, additional to those indicated in the present document, may be defined elsewhere (e.g. in 
agreements, in corporate policies, etc.), but their requirements shall not conflict with those specified in the present 
document. 

Documents indicating the information security provisions for such additional services and/or functions should be 
structured like the present one. 

4.2 User Community and Applicability 

The present document is intended to be used by, but not exclusively, any IPSP as a guidance to implement and manage 
the ICT security related issues of an IPS compHant with TS 102 573 [3], ISO/IEC 27001 [1] and ISO/IEC 27002 [2], 
suitable to withstand assessment by independent Assessors. TR 101 533-2 [i.24] is intended to be used by such 
Assessors. 
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The IPSP is responsible for the implementation and management of the entire IPS, even when some of its functions are 
outsourced to external providers. Therefore provisions in the present document are expected to be complied with also if 
outsourced to external providers. Similarly, these outsourced services are expected to be assessed based on 
TR 101 533-2 [i.24]. Related provisions are specified in clause 5.1.2. 



4.3 Conformance requirements 



Each IPSP that wants to be recognized as compliant with the present document shall achieve, through assessment, 
formal recognition of its conformance to the requirements specified in its "Statement of Applicability", as defined in 
annex B for the set of functions related to the Core Information Preservation Services as well as to the Extended 
services and the additional provisions it provides (see clause 4.1). 

The present document specifies requirements for Core Information Preservation services and requirements for Extended 
Information Preservation services. 

An IPSP shall implement mandatory requirements for Core and Extended services unless really exceptional conditions 
occur. The IPSP Management can authorise deviations only after having evaluated the consequences that shall be 
extensively justified and documented in writing. 

An IPSP should implement the recommended provisions for the Core services and for the Extended services it provides. 
The IPSP Management can authorise deviations from these recommended provisions only after having evaluated the 
consequences of such deviation. This decision must be justified in writing. 

An IPSP may apply optional requirements. 

The "Statement of Applicability" shall take into consideration the outcomes of a Risk Assessment. The IPSP shall 
therein specify: 

a) what control objectives and controls indicated as recommended, or exceptionally as mandatory, in 

TS 102 573 [3], in the ISO/IEC 27002 [2] and in the present document are excluded from implementation, 
alongside with the rationale for their exclusion; 

b) what control objectives and controls indicated in other publicly available specifications are implemented 
alongside with the rationale for their inclusion. 

Additionally, as specified in clauses 4 and 4.1, an IPSP may choose to implement provisions stated in other publicly 
available specification. 



5 Provisions based on TS 102 573 

The provisions in TS 102 573 [3] relevant to information preservation, specified in the following clauses with the 
notation "(TS 102 573 [3], clause N.N, items N.N, etc.)" apply, with the addition of the provisions specified in the 
corresponding clauses. 

5.1 IPSP Obligations specified in TS 102 573, clause 6 
5.1 .1 Arrangements to cover liabilities and financial stability 

(TS 102 573 [3], clause 6.2, items 2, 3 and 5.) 

The IPSP shall initially perform a Risk Assessment to assess its financial stability and capability to cover liability and 
shall repeat it on time basis (i.e. at time intervals) and every time that substantial technical or contractual changes occur. 
This Risk Assessment should be financially quantitative. The IPSP shall have the financial capability and stability, by 
means of its own assets, an insurance policy or both, to provide the services as specified in the present document 
including meeting the possible indemnification. 
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NOTE: When addressing "indemnification", provisions in ISO/IEC 27005 [i.2] would be taken into account. In 
particular the IPSP is encouraged to perform the Risk Assessment cycle described below. 

1) The technical risks related to each asset are evaluated and the countermeasures to be consequently enforced are 
chosen. The residual risks deemed as acceptable are clearly specified. 

2) The above residual risks are financially evaluated quantifying for each single residual risk the financial 
exposure deriving for example from: 

a) the direct cost of loss (e.g. destroyed or stolen assets); 

b) the indemnification to information owners for damages deriving from lack of (timely) providing them 
with their own information. 

3) The IPSP overall financial exposure is then evaluated taking into account: 

a) the cost of insurance policies addressing all or some of the risks identified in previous item 2; 

b) the costs of risks identified in previous item 2, possibly reduced by the insurance policies. 

4) The above overall financial exposure (cost of the insurance policies plus the residual risks costs) is evaluated. 
If it is unacceptable for the IPSP, the Risk Assessment cycle will be repeated by the IPSP until the overall 
financial exposure is deemed acceptable. 

5) Eventually the IPSP specifies in the SoA the final provisions to be applied as per the outcomes of the Risk 
Assessment. 

5.1 .2 Conformance by sub-contractors 

(TS 102 573 [3], clause 6.2, items 6 and 7.) 

1) The IPSP shall bear full responsibility towards its customers for compliance with the requirements specified in 
the present document, with regard to the services it provides, "even when some or all of its functionalities are 
undertaken by sub-contractors" (TS 102 573 [3], clause 6.1, item 2). 

2) The IPSP shall oblige, through legally valid agreement, sub -contractors to which it entrusts the provision of all 
or part of the services related to its IPS, to authorise access to their own premises where the IPSP related 
activities are fulfilled, in addition to the properly identified relevant authorities, to duly authenticated: 

a) IPSP authorised personnel; 

b) Assessors appointed by the bodies with which the IPSP has an assessment/certification agreement. 

5.1 .3 IPSP service provisions in abidance by tiie applicable legislation 

(TS 102 573 [3], clause 6.2 item 1.) 

1) Where provisions in the present document conflict with the applicable legislation, the latter shall always 
prevail. 

2) The IPSP shall be registered as a legal entity according to the applicable legislation and shall exhibit evidence 
of this to any request. 

3) Abidance by the present document per se does not imply that the IPSP at issue is compliant with any 
legislation. It is up to the IPSP to achieve the legal skill suitable to ensure that the preservation services it 
provides do comply with applicable legislations. 

4) The IPSP contractual documentation shall contain in readily understandable language the regulation or sets of 
legal requirements that are complied by each of the set of services provided. 

5) Declaration in previous item 4 must be in writing using official language(s) that meet at least the following 
requirements: 

a) At least one of the languages shall be an EU official language; 
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b) Agreement by the parties on the language(s) to be used. 

6) The IPSP shall have in force auditable procedures suitable to fulfil, without undue delay, requests for 

exhibition or delivery of the preserved data, submitted by duly authorised entities, among which the relevant 
authorities, and, where personal data are dealt with, the Controller. [EXT.l] Personal data preservation: 

a) If the IPSP is based in one European Union Member State and preserves personal data, it shall abide by 
the rules of the applicable legislation regarding transfer of personal data to a third country. 

b) If the IPSP processes personal data to make up the related metadata, this shall only occur under 
agreement with the document owner/controller and these metadata shall be dealt with under the same 
provisions as the information of origin. 

5.1 .4 Compliance with tine present document provisions 

1) The IPSP shall comply with all provisions in the present document taking into account what it specifies in its 
Statement of Applicability. 

2) The IPSP shall transpose, as applicable, the provisions in the present document in its Information Security 
Policy Document, in its Operational Procedures, in the employees' job description and in all similar 
documents. 

3) The IPSP shall demonstrate its compliance with those provisions of present document it specifies in its 
Statement of Applicability to Assessors and other authorised bodies by also exhibiting prior assessment reports 
issued by relevant entities, where applicable. 

5.1.5 Contractual aspects 

(TS 102 573 [3], clause 6.2, several items.) 

1) The IPSP shall implement and have in force auditable procedures ensuring that the data depositor's identity 
and role is duly verified when subscribing the service agreement. 

2) The agreement between IPSP and information owners shall specify whether the IPSP has the right (or duty) to 
process the data in order to extract the related metadata and, where this agreement exists, the mechanism 
through which metadata must be derived from the information to be preserved. 

3) The agreement between IPSP and information owners shall specify what roles, including e.g. Assessors and 
relevant authorities, are entitled to access the preserved information. 

4) The IPSP shall implement and have in force auditable procedures, ensuring that, upon authorised request or 
upon closure of the preservation contract stipulated with one or more of its customers, the IPSP shall be able to 
give back to their respective legal owners, in a formally agreed format, the information that was originally 
deposited within the maximum time as per subsequent item 6. 

5) The format as per the previous item 4 shall be: 

a) either the document's original format; or 

b) a format as per clause 6.3.3, SS.3.3. Document Readability item 1), b). 

6) The IPSP shall agree with each subscriber consistently with what is specified in the previous item 4 the 
maximum time for the IPSP to: 

a) exhibit a preserved document; 

b) exhibit various sets of preserved documents; 

c) give back to the documents owner the entire set of preserved documents in either case: upon request or at 
agreement expiration. 

7) The service agreement with the document owner shall specify whether along with the information detailed in 
the previous item 6, also the derived metadata are to be delivered, or not, to the document owner. (See also 
clause 5.1.3 IPSP service provisions in abidance by the applicable legislation item 6.b.) 
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8) If the agreement with the subscriber requires that, upon occurrence of some conditions, the IPSP must 
automatically delete specific preserved information; also the related backup copies, metadata, detached 
electronic signatures, where applicable, and any data from which such information can be reconstructed or 
related information can be derived must be deleted by the IPSP. Closure Evidence should be structured in a 
way not to be affected by the above deletion or, if this is impossible, a mechanism should be implemented 
providing a reference to the original Closure Evidence to maintain the trust chain. 

9) The IPSP shall agree with the document owners the media on which the documents are to be given back to 
their owners. 

NOTE 1: Please refer to clause 6.3.4, SS.3.4. Storage media type for media related provisions. 

10) When giving back documents to their respective owners, in particular upon closure of a preservation contract, 
the IPSP shall provide them alongside with the electronic measures ensuring their authenticity and integrity as 
per the applicable legislation, for instance using electronic signatures. 

11) The service agreement, unless already addressed by the applicable legislation, should specify the procedure for 
granting the ownership of documents to a new document owner, in case the original document owner ceases to 
exist (e.g. upon death of a natural person). 

12) The IPSP shall specify in its agreement with a subscriber its personnel responsible for interfacing the 
subscriber as regards exchanging the contractually related information, among which the information to be 
preserved. The list of these persons shall be timely kept up to date to prevent information disclosures to 
unauthorised persons. 

NOTE 2: See clause 5.1.8. IPSP Subscriber Obligations item 2 for the provisions addressing the reverse 
communication. 

13) The IPSP shall have in force auditable procedures ensuring that the preserved documents are delivered or 
exhibited to legitimately entitled persons only, including duly authorised Assessors. 

14) The modalities through which the deposited documents are made available to authorised entities shall be 
specified in the service agreement. 

5.1 .6 Resolution of complaints and disputes 

(TS 102 573 [3], clause 6.2, item 5.) 

1) The IPSP shall have in force auditable procedures to provide subscribers for each batch of documents 
deposited at the IPSP's, with one or more receipts specifying detailed information suitable to withstand as 
evidence of the deposit even in court, for example supported by legally valid electronic signatures. The content 
of this information shall be specified in the service agreement. 

NOTE: See also clause A.12.2.1, Input data validation. 

2) The IPSP shall have auditable procedures to securely and reliably record and keep: 

a) Evidence of the information reception; 

b) The instructions from the depositor on: 
i. How to handle the information. 

ii. When and how modification and deletion to the preserved information are to be applied. 

3) [EXTl] Personal data preservation. 

a) [EXTl.l] The IPSP shall have auditable procedures to report without delay to the correct controller(s) 
the requests by the personal data subjects related to their preserved personal data. 

b) [EXTl. 2] The IPSP shall have in force auditable procedures that, in compliance with the applicable 
legislation, facilitate access by the data subjects to their personal data, rendered in intelligible form, 
within the maximum delay provided for by such legislation. 
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5.1.7 Organisation independence 

(TS 102 573 [3], clause 6.2, item 8.) 

1) In order for the IPSP structure to comply with provisions of TS 102 573 [3], clause 6.2, item 8, one of the 
following shall be implemented: 

a) the IPSP is a company independent from any of its customers and from any of its providers of its 
electronic signature certification services (Certification Authorities), of time stamping services (Time 
Stamping Authorities) and of time reference services (UTC time providers); 

b) if the IPSP belongs to the same organisation as one or more of its customers or of the providers 
mentioned in the previous item, the IPSP shall ensure that its decisions regarding information 
preservation and exhibition and regarding its abidance by the applicable legislation are free from undue 
influence. 

5.1 .8 IPSP Subscriber Obligations 

(TS 102 573 [3], clause 6.3.) 

1) Provisions in TS 102 573 [3], clause 6.3, shall apply to all information types, i.e. also to not fiscally relevant 
ones, with the exception of subscribers' signing keys, since the IPSP is not expected to issues electronic 
signatures on behalf of its subscribers; for the same reason the last paragraph does not apply either. 

2) The IPSP shall oblige through agreement the subscriber to communicate to the IPSP, with the timing that shall 
be specified in the relevant agreement, the identity of the persons entitled to act on his behalf, their specific 
roles and, where applicable, the means to identify and authenticate them. 

3) The IPSP shall in its contracts clearly specify that the subscriber is eventually responsible towards the 
authorities for the compliance with the applicable legislation of the deposited information content, media, 
formats, etc. 

5.1 .9 Information for trading partners 

(TS 102 573 [3], clause 6.4.) 

1) Provisions in TS 102 573 [3], clause 6.4 shall apply, with the exception of item a) that is covered in 
clause A. 12.2.1, item 4, whereas the term "document signed by the TSP" has the broader meaning of any 
information, also related to the IPS security enforcing mechanism. 

2) All subscribers shall be provided with the following information on the IPSP: 

a) Whether the IPSP performs all the preservation related functions in person or by means of external 
providers. 

b) Information suitable to identify the external providers that perform all or part of the preservation related 
functions on behalf of the IPSP. 

NOTE: See also clause 6.1.2, SS.1.2 Certification. 

5.1 .1 Information for auditor/regulatory/tax authorities 

(TS 102 573 [3], clause 6.5.) 

1) The IPSP shall have in force audi table procedures that ensure that the information to be reviewed by and 
exhibited to auditors. Assessors and authorities is exhibited along with the data proving its authenticity and 
integrity. 

2) The IPSP shall specify auditors, regulatory and tax authorities the security measures they must abide by when 
accessing the IPS. 
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6 Objectives and controls in TS 102 573, annex A 

The provisions in TS 102 573 [3] relevant to information preservation specified in the following sub-clauses apply with 
the addition of the provisions specified in the corresponding clauses. 



6.1 SS.1. Signature 



1) The long term preservation validity should be assured by using Advanced Electronic Signatures, in any of their 
strains such as CAdES, XAdES, PAdES, QES, etc. Other appropriate mechanisms may also be used, for 
example based on TSTs issued by a trusted source. 

NOTE: Please be aware of the different contexts for the controls and objectives for applying electronic signatures 
in TS 102 573 [3] and in the present document. Whilst in the context of TS 102 573 [3] electronic 
signatures are used by the service provider to sign documents on behalf of a service user, in the context of 
the present document they are used by the service provider as a possible means to prove the integrity of a 
preserved set of information as well as, if agreed with the IPSP customer, of a single document to be 
preserved on behalf of a service user (whether or not the document to be preserved was already signed at 
the time of acceptance for preservation by the service provider). 

6.1 .1 SS.1 .1 . Class of Electronic Signature 

1) As a derogation from the basic requirements of TS 102 573 [3] "[N+]" normalized policy requirements, the 
electronic signature issued on behalf of the IPSP, in particular if used on the Closure Evidence, is not required 
to be a QES, but shall be at least an AdES, in compliance with the applicable legislation. 

NOTE: Possible AdES can be, but not exclusively, CAdES, XAdES, PAdES, as specified in TS 101 733 [i.lO], 
TS 101 903 [i.ll], TS 102 778 [i.l2], respectively. 

6.1.2 SS.1. 2. Certification 

1) Certificates issued to the IPSP DS should be based on the most recent version of ISO/lEC 9594-8 [i.3]. 

2) The IPSP shall inform its subscriber prior to the service subscription of: 

a) the complete information on the CAs that issue signature certificates to its DS; and 

b) where the certificates used by the IPSP to support its signatures are not QCs, on what are the Certificate 
Policy and the Certificate Practice Statement complied with by the issuing CA and how this CA is 
assessed as complying with them; and 

c) who the TSAs are that issue timestamps for providing trusted time references to the preserved 
documents, and the respective policies of these TSAs. 

3) If the IPSP performs bulk signatures it is recommended that the signature certificates specify limitations of use 
suitable to prevent misuses, such as stealthily adding bogus documents to the signature pipeline. 

EXAMPLE: Signature certificates can specify that they are to be used only to sign documents in an IPSP 

context and that their signature does not imply commitment by the signer to the document content. 



6.1 .3 SS.1 .3. Signature Creation Data 



1) Any IPSP key management activity shall be auditably logged. Where SSCD are used, the IPSP shall ensure 
they are provided, used and activated in compliance with the applicable CP/CPS. Where SSCD are not used, 
the IPSP shall ensure that reliable procedures and security mechanisms are enforced ensuring the SCD 
confidentiality. 
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6.1 .4 SS.1 .4. Certificate subject's Registration 

1) Delegate signers shall be officially appointed by the IPSP relevant management or shall be delegated by the 
responsible for preservation. 

2) The IPSP shall require all DS certificates to be issued upon specific agreements with CAs. Such certificates 
should specify in the "Organization" field a reference to the IPSP. 

3) Where the adopted certificates are QC, all DS shall, where legally required, have been registered by a CA 
operating in compliance with the Certificate Policy defined in TS 101 456 [i.7] or with a Certificate Policy 
recognised as suitable by the relevant Authority. 

4) Where the adopted certificates are not QC, all DS should have been registered by a CA operating in 
compliance with the Certificate Policy defined in TS 102 042 [i.8] or with a Certificate Policy recognised as 
suitable by the relevant Authority, where applicable. 

6.1 .5 SS.1 .5. Certificate Revocation 

1) The IPSP shall have in force audi table procedures to effectively request for revocation of the certificates used 
for the purpose of the IPS. These procedures shall be consistent with the agreement with the CA, that shall 
specify who (apart from the certificate subject) is entitled to forward a revocation request to the CA. 

2) The IPSP DS, be they employees of the IPSP or of external providers, shall request for the revocation of their 
certificate used in supporting AdES issued on behalf of the IPSP as soon as they become aware, or have 
reasonable doubts, of the compromise of the correspondent private key. 

3) The IPSP shall request for revocation of one certificate that was issued upon its request: 

a) as soon as the IPSP becomes aware of, or have reasonable doubts on, the compromise of the 
correspondent private key, regardless of whether the certificate subject has already submitted a similar 
request; or 

b) upon cessation of the certificate subject from the task in relation of which the certificate was issued; in 
this case the revocation request shall be submitted to the CA timely enough for the revocation to come 
into force before the certificate subject leaves his/her office. 

6.2 SS.2. Maintenance of Signature over storage period 

1) The IPSP shall ensure that the signatures it issues (e.g. within the Closure Evidence) are maintained as 
specified in the subsequent items, so that their validity can be verified at any time during the preservation 
period. 

2) In order to allow the reliable verification of an AdES even if its supporting certificate is revoked or expires 
after the signing time, a reliable time reference should always be applied to it as close as possible to the actual 
signing time, to provide evidence that the AdES existed before expiration or a possible certificate revocation. 
Possible reliable time references are: 

a) TST, the format of which should be based on RFC 3161 [i.l6] and on its updates or replacements. 

b) Other trusted time evidence legally valid according to the applicable legislation, i.e. assertion by a trusted 
entity that the signature at issue existed at a certain point in time. 

c) Time-mark in an audit trail. 

NOTE 1: Further information can be found in CWA 14170 [i.l3]. 

3) The IPSP shall have in force auditable procedures for maintaining signatures that, where applicable, envisage 
collecting evidence supporting the validity of signatures and that should be based on existing specifications, 
e.g. CWA 14171 [i.l4]. 

NOTE 2: Among the evidence types the IPSP would fetch and store, at least for as long as the related signature, can 
be: CRLs (when the relevant CA removes the expired certificates from the CRL) or OCSP Responses. 
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4) The IPSP may derogate from the available technical specifications (e.g. CWA 14171 [i. 14]) if they do not 
meet its legal/technical needs. 

NOTE 3: If the IPSP has as a reference a specification, such as CWA 14740 [i.l3], that does not take into account 
that the CA keeps the expired certificates in the CRL, in compliance with ISO/IEC 9594-8 [i.3], the IPSP 
may take this fact into account in its procedures to maintain signatures. 

5) If the IPSP is a legally recognised trusted entity, such as a Public Officer, previous items 1 to 4 might not 
apply according to applicable legislation. 

6.3 SS.3. Storage 

6.3.1 SS.3.1 . Authorized Access 

1) The IPSP shall have in place documented and auditable procedures to prevent any unauthorized access. Where 
applicable, the status of document ownership (as in the case of heirs) shall be ascertained, for example through 
verification at central Registries. Among authorised persons, but not exclusively, are: 

a) Information owners, including their legal representatives that shall be named in the agreement or in 
subsequent papers recognised as authentic and valid. 

b) Duly authorised personnel. 

c) Public Authorities such as authenticated police and tax authority officers. 

2) The IPSP shall modify and/or delete the preserved information only upon valid request by the information 
owner or in compliance of specific contract stipulations. The IPSP shall keep an audit trail of any modification 
and/or deletion. 

3) Where the remote access requires an end-to-end encryption to be implemented the IPSP shall agree with the 
counterpart what encryption system, selected among the state of art ones, best suits the specific case and shall 
document the reason of the choice. The previous documentation is not necessary if the encryption system is 
imposed by force of law or by an authority, such as national or international courts or the police forces. 

4) Access authorisation to preserved information shall not be all encompassing, i.e. each authorised entity shall 
be able to access only the information it owns or it has specific rights for. 

See also clause 6.4, SS.4. Reporting to and Exchanges with Authorities. 



6.3.2 SS.3.2. Authenticity and Integrity 



In addition to provisions in clauses 6.1, SS.l. Signature, and 6.2, SS.2. Maintenance of Signature over storage period, 
related respectively to the clauses SS.3.2. 1 and SS.3. 2. 2 of TS 102 573 [3], annex A, the following provisions apply, 
related to SS.3. 2. 3 "Mechanisms to detect loss or surreptitious addition of documents shall be used" . 

1) In order to streamline both the preservation process and the remote exhibition of preserved documents, the 
IPSP should adopt a solution based on Closure Evidence. 

2) Where the Closure Evidence is used the IPSP shall document how the Closure Evidence solution is 
implemented, based either on a publicly available specification or on custom developed specifications. 

3) Where the IPSP does not implement the Closure Evidence mechanism it shall implement mechanisms ensuring 
to achieve over time the same authenticity, integrity and accountability objectives as the signed Closure 
Evidence. 

4) If the Closure Evidence is based on a publicly available specification, the IPSP shall document which options 
of such specification are implemented. 

5) If the Closure Evidence is not based on public specifications, the IPSP shall draft and retain a detailed 
technical specification describing how the Closure Evidence is structured and maintained. It is vital that the 
authenticity, integrity and readability of the Closure Evidence are ensured over time. 
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NOTE: The CE structure can be based as follows: 



a) It contains metadata related to one specific set of preserved documents, built up for example with 
the digests of at least all the documents therein contained, including the receipt (see Clause 5.1.6) 
related to these documents. Thus, the Closure Evidence proves that documents with the given 
digests were stored by the IPSP. 

b) It is structured in a way to facilitate parsing. 

c) It is updated every time a new document, upon duly authorized request from the IPSP subscriber, is 
added to / deleted from the set of the preserved information it relates to; upon update a new Closure 
Evidence is created, as per the following item 8. 

d) It is structured in a way to allow the traceability of documents and the accountability of the IPSP. 
For every digest within the Closure Evidence, the IPSP is to be able to exhibit one of the following 
at any point of time: 

i. the preserved document with the corresponding digest; 

ii. the documentation regarding the deletion of the document with the corresponding digest. 

e) It is verifiable even after the deletion of any document protected by it. 

6) Where the Closure Evidence is sealed with a signature, the IPSP shall state with this signature that the 
preservation process has been properly performed, in abidance by the present document provisions. 

7) The IPSP shall have in force auditable procedures ensuring that, when the algorithms on which the Closure 
Evidence is based on are becoming cryptographically weak, a new Closure Evidence will be created based on 
state of art algorithms. This new Closure Evidence shall have a reliable link to the previous Closure Evidence 
to maintain the chain of trust. A similar solution shall be implemented when other mechanisms are used 
instead of the Closure Evidence. 

6.3.3 SS.3.3. Document Readability 

This entire clause is to be assumed to address [EXT] services aiming to ensure documents readability. 

1) To ensure information availability, documents readability shall be met, either at the place of preservation or 
remotely, even in case of formats obsolescence. To achieve this the IPSP: 

a) depending on the applicable legislation shall store, for all the time the documents are kept in their 
original format, the software necessary to the documents exhibition. Where necessary also the related 
hardware shall be kept as well as any other necessary equipment required to perform the documents 
presentation. 

NOTE 1: One possible way of fulfilling this requirement is to store the original software and hardware. Another 
possible way is to store the specifications of the documents format, and to guarantee that there will exist 
software applications capable of exhibiting those particular formats. This latter method can be used only 
if the specification of the document format can be obtained, e.g. in case of open document formats. 

b) Where the applicable legislation requires or allows format conversion: 

i. The IPSP shall implement it consistently with records management related ISO standards. 

ii. Where the IPSP is not itself a trusted third party (e.g. a Public Officer), it shall have in force 

auditable procedures to require the intervention of a trusted third party attesting that the documents 
transposed in a new format have maintained their original semantics. 

2) The IPSP shall have in force auditable procedures to verify the actual readability of the preserved information 
at intervals, as a minimum as provided for by the applicable legislation, suitable to ensure timely detection of 
degradation in readability. 

NOTE 2: Examples of degradation in readability are: corruption of a particular media used for storing the 

document; corruption of some bits of the documents; or when all bits of a document are available, and the 
IPSP can present them to the document owner, but the IPSP cannot display the document properly in a 
readable format anymore. 
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3) Where degradation in information readability is detected, the IPSP shall recreate the information at issue from 
its backup copies with timeliness suitable to prevent delays in the documents exhibition upon request. This 
event shall be dealt with as an Information security incident (see clause A. 13). 

4) The agreement in force between the IPSP and the information owners shall address what follows. If 
degradation in information readability is detected and it is impossible to recreate the information as it 
originally was, the IPSP shall execute an auditable procedure to formally notify the information owners 
without delay. 

5) The IPSP Business Continuity Management (see clause A. 14, Business continuity management) shall address 
also the software and hardware consistently with the previous item 1, in particular letter a. 

6.3.4 SS.3.4. Storage media type 

1) Where the applicable legislation does not require specific media types, and the media types are of concern to 
the information owners, the IPSP may agree on these media types with the information owners, provided they 
are chosen among the state of art ones. 

NOTE: It is possible that the IPSP accepts and exhibits documents over a network only. In this case, the 
information owner does not need to work with the media used by the IPSP. 

2) In case the IPSP uses media types not suitable to last at least for the envisaged preservation period, or if the 
adopted media prove not to last as long as expected, the IPSP shall have written plans and auditable 
procedures for regularly migrating from one media type to another, performing information recreation 
procedures too. 

3) If the IPSP learns that - in contrast to their specifications - the used media types do not last for the envisaged 
preservation period, the IPSP shall migrate to another media type in time. 

6.3.5 SS.3.5. Documents Format 

1) Agreements between the IPSP and its service subscribers shall specify explicitly if the documents submitted to 
the IPSP are in analog and/or in electronic formats. See also clause 5.1.8, item 3. 

2) The IPSP should submit all deposited documents to the preservation process. Deviations may exist if 
EXTENDED services are provided as specified in the subsequent clauses 3 to 5, or in further EXTENDED 
services, and the agreement with the depositor stipulates that documents, that the IPSP reports to the subscriber 
as faulty, are not to be preserved as delivered by the subscriber, as specified in the subsequent item 6. 

3) [EXTl] - When the documents submitted to the IPSP are in electronic format the IPSP shall have in force 
auditable procedures to verify if the received document formats comply with the applicable legal requirements 
or with the formats agreed with the customer (see also clause 5.1.5, Contractual aspects, item 5). 

4) [EXT2] - When the documents submitted to the IPSP are in electronic format the IPSP shall have in force 
auditable procedures to verify, based on documentation issued by de jure or de facto standardisation 
organisations, if the received document formats are not known as prone to hosting Presentation Corruption 
Agents. 

NOTE: Among the "de facto" standardisation organisations are the "specialised and mostly global fora and 
consortia" the EU COM(2009) 324 [i.35] paper explicitly mentions and for which it suggests at 
section 2.5: "European policy should build on and benefit from the potential provided by fora and 
consortia". 

5) [EXT3] - When the documents submitted to the IPSP are in electronic format the IPSP: 

a) shall have in force auditable procedures to verify whether the received document formats are free of 
Presentation Corruption Agents (see also previous item 4), and it shall notify the subscriber of any fault; 
and 

b) shall have available evidence of the capability of the above auditable procedures to actually verify 
whether the received document formats are free of Presentation Corruption Agents. This evidence may 
be provided experimentally through test runs. 
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6) If the previous clauses from 3 to 5 apply the IPSP shall notify the subscriber of any exception and shall deal 
with the faulty documents as specified in the agreement with the subscriber. 

EXAMPLE: The IPSP can submit to preservation only the compliant documents, or else also the non compliant 
ones, or amend the non compliant ones and submit them to preservation once amended, etc. 

7) [EXT4] Where information must be preserved in XML format, all information that concurs in producing the 
presentation of this information, according to de jure or de facto standards in force that must be agreed upon 
with the subscriber shall also be preserved. 

6.3.6 SS.3.6. Requirements on Separation and Confidentiality 

1) The IPSP shall have in force auditable procedures ensuring the implementation of TS 102 573 [3], annex A, 
SS.3.6, in order to ensure records' confidentiality by segregating assets of different information owners, at least 
using a suitable logical access separation. 

6.4 SS.4. Reporting to and Exciianges with Autinorities 

1) Where remote access is legally allowed or required, the IPSP shall have in force auditable procedures ensuring 
the implementation of TS 102 573 [3], Annex A, SS.4.1, by enacting remote exhibition and submission of the 
preserved documents to the requesting Authorities through secured channels, i.e to ensure the confidentiality 
of: 

a) The authentication process. 

b) The transmitted documents. 

For example based on state of art TLS protocols or on end-to-end encryption. 

NOTE 1 : The possibility that the said Authorities are equipped to implement on their side neither TLS channels nor 
end-to-end encryption is not taken into account. 

NOTE 2: In this case derogation from requiring compliance with TS 102 573 [3], annex A, SS.4.2 [N+] is accepted. 
TS 102 573 [3] "[N]" variant of normalized policy is also acceptable. 

NOTE 3: Compliance with TS 102 573 [3], annex A, SS.4. 3 is ensured by compliance with clause SS.2 
Maintenance of Signature over storage period. 

6.5 SS.5. Conversion of Analog Originals to Digital Formats 

NOTE 1: The original title of the corresponding TS 102 573 [3], clause is SS.5 Conversion of Paper Originals to 
Digital Formats. 

Implementation of this clause provisions is to be considered an EXTENDED service. 

[EXTl] The present document lays down no provision related to handling analog documents. 

1) [EXTl.l]: 

a) [EXTl. 1.1] The IPSP shall have auditable procedures to convert documents, originally in analog formats, 
to electronic formats, agreed upon with the document owner, that (see also clause 6.3.5, SS.3.5. 
Documents Format item 8): 

i. are formally recognised as legally valid, where applicable; or 

ii. are indicated by technical reports, issued by de jure or de fact organisations, as known, at the 
current state of art, as immune from PC As. 

NOTE 2: More on document formats is at clause 6.3.3, SS.3.3. Document Readability, item 1) b.; more on de jure 
and de facto organisations is at clause 6.3.5, SS.3.5. Documents Format item 4. 
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b) [EXTl . 1 .2] The above procedures in the previous item 1 .a shall provide for each set of analog documents 
an audit trail, that should be based on de jure or de facto standard specification, specifying at least: 

i. The processing operator identifier, whose identification shall be supported by strong authentication. 

ii. An inventory of documents making up each single batch that was input into the procedure. 

iii. The number and type of failures occurred in processing each single batch of documents. 

iv. The number and type of manual and automated interventions performed, while converting each 
single batch of documents, to remove processing problems and the documents related to each 
problem; if the problem is such to require removal of documents from the conversion process, this 
shall be clearly indicated, at least referring to the documents numbering in the process. 

V. The overall number of the output documents generated from the conversion of each single batch. 

c) [EXTl. 1.3] As the last step of the conversion procedure in the previous item Lb the Closure Evidence 
should be generated. 

NOTE 3: If requirement in clause 6.3.2, SS.3.2. Authenticity and Integrity, b). is implemented, the Closure 
Evidence would be generated. 

2) [EXTl. 2] Where one analog document is to be digitally preserved, and it is a "unique original" an AdES 
should be applied on behalf of the IPSP to its electronic copy; it is recommended that the assertion provided 
for by TS 102 573 [3], annex A, SS.5.2, is associated to the electronic copy, even if not required by the 
applicable legislation. 

3) [EXTl. 3] The IPSP shall make available to the Assessors the outcomes of the Risk Assessment addressing the 
conversion from analog to digital format, specifying the rationale for the consequent operational choices. 
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Annex A (normative): 

ISO/IEC 27001 related Long Term Preservation-specific 

ISIVIS control objectives, controls and implementation 

guidance 

A.1 Reference to ISO/IEC 27001 

In each of the subsequent clauses, from A.5 on, the corresponding ISO/IEC 27001 [1] clause is specified. 

A.2 Basic ISO/IEC 27002 provision 

The number of each of the subsequent clauses, from A.5 on, matches the numbering of the corresponding 

ISO/IEC 27002 [2] clause (e.g. clause A.5. 1.1 of the present document corresponds to ISO/IEC 27002 [2], clause 5.1.1). 

Compliance with the controls in the ISO/IEC 27002 [2] clauses is recommended. 

A.3 Enhanced ISO/IEC 27002 provisions 

Each subsequent clause inherits provisions in the corresponding ISO/IEC 27002 [2] Clause while specifying, where 
applicable, which ones do not apply, or, conversely, are deemed as mandatory, in the IPSP environment. 

A.4 New specific controls 

In each subsequent clause additional provisions, mandatory, recommended or optional, may be specified. 

A.5 Security Policy 

A.5.1 Information security policy 

A.5. 1 . 1 Information security policy document 

Long Term Preservation specific controls: 

a) The IPSP shall have in force Information Security Policy Document endorsed by the relevant and specifically 
appointed senior management, also covering the instructions from the Controller, where personal data are dealt 
with. 

b) The ISPD shall address the information protection in a manner commensurate with the specific information 
sensitivity, value, and criticality (see also clause A.7.2.2, Information labelling and handling) as specified in 
the agreements with the information owners. 

c) The Information Security Policy Document, specifying among other things each role's duties and privileges, 
shall be made available, and where applicable delivered, in auditable way to all personnel involved in the IPS 
operations, including external providers of IPS related services. In the latter case of personnel belonging to 
external providers, the ISPD shall be formally delivered to the recognised representative of each external 
provider who shall, in turn, deliver it in an auditable way to the interested persons. See also clause A.8.1.3, 
Terms and conditions of employment. 
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d) Where necessary for confidentiality reasons, the Information Security PoHcy documentation should be 
structured in parts to be distributed, consistently with the confidentiality level requirements, only to the 
persons that have the specific and actual need to know. 

A.5.1 .2 Review of the information security policy 

Long Term Preservation specific controls: 

1) The Responsible for Preservation, supported by specialised teams having as purpose to keep themselves up to 
date with security and legislation topics, shall ensure that the ISPD is reviewed, based on the outcomes of a 
previously repeated Risk Assessment: 

a) At least yearly. 

b) Upon detection of security incidents or of security weaknesses deemed at high risk by the IPSP incident 
management body (see also clauses A.13.2.1 Responsibilities and procedures, item 1, and A.13.2.2 
Learning from information security incidents, item 2. 

2) The IPSP Management shall enforce the reviewed ISPD, in particular when the revision was triggered by 
security incidents or by identified security weaknesses, with timeliness depending on the severity of the 
identified risks. 

3) The timeliness as in the previous item 2 shall be derived from the Risk Assessment. 



A. 6 Organization of information security 

A. 6.1 Internal organization 

A.6.1 .1 Management commitment to information security 

Long Term Preservation specific control: 

1) The IPSP shall keep exhaustive and auditable documentation, even historical, on the IPS organisation. 

2) The IPSP should make sure that all depositors are made aware of the up to date IPSP organisation as per what 
affects them. 

3) The IPSP may specify the information organisation scheme in a document available to its subscribers since the 
inception of their contractual relationship. 

4) The IPSP Management shall ensure that implementation of ISO/IEC 27002 [2] corresponding clause item g) 
("initiate plans and programs to maintain information security awareness") includes ascertainment that the 
persons are timely retrained at least whenever the ISPD and/or the procedures are updated. Upon update due to 
security incidents a description of the occurred incident should be provided as confidential information to the 
persons who have the need to know. 

A.6. 1 .2 Information security co-ordination 

Long Term Preservation specific control: 

1) The IPSP security shall be governed throughout the entire IPSP in a way suitable to prevent implementation of 
conflicting practices in the various IPSP departments (e.g. hierarchical structure). 
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A.6.1 .3 Allocation of information security responsibilities 

Long Term Preservation specific controls: 

1) A suitable chain of command for the information security responsibilities shall be clearly defined, consistently 
with the IPSP size; the responsible persons shall be clearly identified by name and/or by role title; the 
identification of reference points in case of security incidents shall be continuously and unambiguously 
assured. 

2) The documentation of clause A.6.1.1. Management commitment to information security item 1) shall indicate 
as a minimum who have been in the time the officers Responsible for the Preservation and for each of them in 
what time period. 

3) Each officer, to whom information security responsibilities are allocated, shall be assigned his/her duties in 
writing and shall accept them in writing (see also clause A.8.2.1, Management responsibilities). 

A.6.1 .4 Authorization process for information processing facilities 

Long Term Preservation specific control: 

1) Particular care should be taken when emerging technologies are implemented, since the possible attacks on 
their authentication mechanisms may not be entirely known, therefore a specific sign off from the department 
in charge of Information Security should be obtained before implementing emerging technologies. 

NOTE: With the purpose of better specifying this clause applicability, the following non exhaustive list is 
provided of items that fall under the term "facility". 

i. buildings; 

ii. building infrastructures, such as: gates, alarms, locks; 

iii. IT equipment, both static and portable; 

iv. temporary store for media and equipment; 

V. air conditioning systems, including their ducts that may convey toxic substances, virus and 
bacteria; 

vi. regular and emergency power supplies; 

vii. communication networks; 

viii. personnel authenticating systems, e.g. PIN PADs, cryptographically based objects like smart cards 
and biometric identification systems. 

A.6. 1 .5 Confidentiality agreements 

Long Term Preservation specific controls: 

1) No information on the IPSP, on its IPS related service providers, on its customers and on the preserved 
information shall be disclosed unless a derogation authorisation has been explicitly specified in writing by the 
information owner, by the IPSP management or by the IPS related service providers, respectively, depending 
on the information at issue, and, even in this case, it shall only be disclosed to persons with a need to know 
formally recognised either by the information owner or by the IPSP management. 

2) The provision in the previous item 1) shall apply also when the IPSP advertises its own researches for 
personnel. 

3) The confidentiality measures shall be implemented taking into account, among other things, the information 
depositor's instructions and the applicable legislation. 
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A.6.1 .6 Contact with authorities 

Long Term Preservation specific control: 

1) The IPSP shall indicate by name or job title which officers are entitled to speak to authorities on behalf of the 
IPSP. 

A.6.1 .7 Contact with special interest groups 

Applicable. No further control and/or implementation guidance needed. 

A.6.1 .8 Independent review of information security 

Long Term Preservation specific control: 

1) If the IPSP Management, either out of its own act of will or where so required by the applicable rules, appoints 
auditors to enact reviews on the IPS, these auditors shall in advance provide evidence of their compliance with 
the rules on auditors' conformity, such as ISO/IEC 17021 [i.4]. 

A.6.2 External Parties 

A.6.2.1 Identification of risks related to external parties 

Applicable. No further control and/or implementation guidance needed. 

A.6.2. 2 Addressing security when dealing with customers 

Applicable. No further control and/or implementation guidance needed. 

A.6.2. 3 Addressing security in third party agreements 

Long Term Preservation specific controls: 

1 ) [EXT 1 ] Data protection: 

Outsourcing of IPS related services to organisations resident in third countries shall comply with the 
implementation in the applicable legislation of Directive 95/46/EC [i.29], article 25 (2). 

2) The obligations specified in the agreements with third parties shall be in line with the outcomes of the Risk 
Assessment. 

3) The inception of any IPS related outsourced activity shall be subordinated to the IPSP management's approval 
of the related outsourced service provider's Information Security Policy Document. 

4) If the IPSP is not in possession of the skill necessary to assess the Information Security Policy Document 
specified in the previous item 3, it may resort to external consultants that shall have neither business nor 
organisational links with the service provider at issue. 

5) Agreements between IPSP and its providers of IPS related services shall specify to which extent the continuity 
of the service providers business operations related to the IPS shall be ensured. 

6) Agreements with providers of outsourced IPS related services shall ensure the existence of an effective and 
regularly tested back-out plan, approved by the IPSP Information Security management, which permits the 
IPSP to revert to internal processing and/or to move to another provider the services at issue. 

NOTE I : One example of changing service provider is the telecommunication services provision where the IPSP 
can have in force multiple agreements with different telcos. 
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7) Agreements with providers of outsourced IPS related services shall include the IPSP right to: 

a) access, through duly authorised and authenticated persons, where necessary delegated by the IPSP, the 
information preserved by the provider on behalf of the IPSP; and to 

b) perform, directly or by means of external auditors delegated by the IPSP, inspections on the providers' 
activities and premises, related to the IPS related services, and on the information they manage on behalf 
of the IPSP. Agreements shall specify the inspection modalities. 

8) Agreements with developers of "ad hoc" software shall require them to deposit in an agreed software escrow 
facility the most recent version of the developed source code and the related operations documentation using 
agreed formats and media. 

NOTE 2: The purpose of this provision is to ensure the IPSP the possibility to maintain the provided software even 
if the software providers go out of business. 



A.7 Asset Management 

A. 7.1 Responsibility for assets 
A. 7.1 .1 Inventory of assets 

Long Term Preservation specific controls: 

1) The IPSP shall keep also an auditable inventory of the information, where applicable subdivided by 
information type, deposited by subscribers, including the history of input, modified and deleted information. 

NOTE 1: This inventory would be dynamically derived from the IPS. 

2) The asset inventory shall specify also the version of the various system components and the period where each 
of them was operational. 

NOTE 2: The association between versions and the above operational period would be useful when performing 
problem determination. 

3) The inventory as in the previous item 1) shall be structured at least as required by the applicable legislation, for 
example based on the documents owner, on their original format - analog or electronic, on their area of 
interest - fiscal documents, legal documents, etc. 

4) If no format or structure is legally specified for the inventory indicated in the previous item 1, the IPSP may 
implement any structure and format that meet the above requirements. 

5) The IPSP should ensure that for each storage logical unit, within the documentation indicated in 
clause A.6.1.1. (Management commitment to information security, item 1), an auditable inventory is 
maintained that specifies at least: 

a) the identification data of all the persons that in the time were in charge of the information preservation; 

b) the identification data of officers delegated to perform specific information preservation tasks; 

c) the location where the back-up copies are kept. 

6) All inventories shall be constantly updated and their correspondence with the real assets shall be verified at 
least once a year. 

7) For any information, the IPSP shall keep, for the same time the information is preserved and under the same 
measures: 

a) the documentation of all its related procedures; 

b) the related audit outcomes; 
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c) documentation related to incidents that have affected the preserved information. 

A.7.1 .2 Ownership of assets 

Long Term Preservation specific controls: 

1) The IPSP shall appoint in writing all persons acting on the IPS for the purposes of the IPSP, clearly specifying 
the preserved information and information preserving processes each of them owns, i.e. is responsible for. 

2) At least the owners of the following processes shall be specified (see also clause 6.3.5 SS.3.5. Documents 
Format): 

a) In relation to CORE Processes: 

i. Secure log management process. 

ii. Incoming information acceptance. 

iii. Preservation core process, including Backup. 

iv. Management of the IPS related assets processing. 

V. Preserved information exhibition/return. 

vi. Disaster Recovery / Business Continuity Plan. 

vii. Electronic information deletion. 

b) In relation to EXTENDED Processes, where applicable: 
i. Analog information post-preservation deletion. 

ii. Incoming electronic information scanning with Antivirus programs. 

iii. Incoming electronic information format validity assessment. 
NOTE 1: Refer to clause 6.3.5, SS.3.5. Documents Format, provisions related to Extended Services. 

iv. Extended information indexing. 

V. Signature verification. 

vi. Format conversion. 
NOTE 2: Ownership of the processes will be assigned in abidance by the job separation principle. 

3) Consistently with what is specified in clause A. 14.1.4. Business continuity planning framework item 2, the 
"Disaster Recovery Team" will be entrusted with ownership of assets authority suitable to allow for 
resumption of operations in case Disaster is invoked, in real or in case of drills. 

A.7.1 .3 Acceptable use of assets 

Applicable. No further control and/or implementation guidance needed. 

A. 7. 2 Information classification 
A.7.2.1 Classification guidelines 

Long Term Preservation specific control: 

1) Any information shall always be assigned its classification level. 

2) As regards the preserved information the IPSP shall abide by the classification requirements specified by the 
information owner. 
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3) The IPSP shall inform in the contractual documentation the information owner that if no indication is provided 
on his data classification, the lowest applicable classification level will be enforced, providing him also with 
an explanation on the consequences of such classification. 

NOTE: If this condition occurs in relation of personal data, the IPSP will not be held responsible for non law- 
abiding preservation of the information deposited by the information owner, since the IPSP is not acting 
as the Controller. 

4) The IPSP shall have an auditable procedure ensuring that the confidentiality classification of IPSP related 
information (procedures, policies, etc.) shall be reviewed regularly, at least once per year, to prevent obsolete 
classification from, on the one hand, putting at risk information that in the meantime has achieved a higher 
classification level, and, on the other hand, requiring undue effort to enforce confidentiality rules 
disproportionate to the current actual confidentiality level. 

5) The IPSP shall oblige by agreements its subscribers to timely communicate any change in the classification 
level of the deposited information. 

A.7.2.2 Information labelling and handling 

Long Term Preservation specific control: 

1) The IPSP shall have an auditable procedure ensuring that where different confidentiality classification levels 
are assigned to different pieces of information stored on one single media or in a storage logical unit, the 
overall classification level of the single unit shall be the most stringent among those of the stored data, unless 
the information within is intrinsically protected consistently with their classification level. 

NOTE: One example of intrinsic protection is the information encryption. 

2) The IPSP shall have an auditable procedure ensuring that each removable media (electronic, paper, etc.) shall 
always be labelled according to the highest classification level assigned to the information stored inside (see 
clause A.7.2.1, Classification guidelines). Officers remarking that one item has no label shall report the event 
to the item owner and in the meantime the item shall be dealt with according to the highest classification level 
known for the information stored inside. 

3) The IPSP shall have an auditable procedure ensuring that when confidential information is copied in various 
instances (on paper, electronic media, etc.) the various copies shall receive the same classification level as the 
original and if their classification requires protection their distribution shall be tracked. 

4) Confidential information shall be shipped as specified in clause A. 10.8.3, Physical media in transit, item 2. 



A.8 Human resources security 

Long Term Preservation specific controls: 

1) The IPSP shall oblige through contractual agreement also its IPS related services providers to implement the 
provisions in this clause and in the applicable corresponding ISO/IEC 27002 [2] clauses. 

2) The IPSP shall oblige by contractual agreement its outsourcing providers to allow inspections as in clauses 4.2, 
User Community and Applicability and A. 6. 2. 3, Addressing security in third party agreements item 7) b. to be 
performed also on the issued dealt with in these clauses and in the applicable corresponding 

ISO/IEC 27002 [2] clauses. 

A.8.1 Prior to Employment 
A.8.1 .1 Roles and responsibilities 

Long Term Preservation specific control: 

1) At least the IPS system administrators shall be individually appointed in writing and they shall accept in 
writing their job. 
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A.8.1.2 Screening 

Applicable. No further control and/or implementation guidance needed. 

A.8.1 .3 Terms and conditions of employment 

Long Term Preservation specific control: 

1) The IPSP shall oblige in writing all officers acting on the IPS to comply with the rules governing the IPS. 
Officers shall: 

a) declare in writing that they have been informed in writing of such rules; 

b) declare in writing that they have been informed in writing of the existence of sanctions they would incur 
in case of violation of the rules. 

2) The procedure as in the previous item 1 should be repeated yearly. Among the therein mentioned rules is the 
corporate code of conduct, the Information Security Policy Document, the IPSP operating procedures, the 
applicable legislation in force, including the privacy related one. 

See also clause A.5.1.1. Information Security Policy document. 

A.8.2 During Employment 
A.8.2.1 Management responsibilities 

Long Term Preservation specific controls: 

1) The IPSP shall ensure that all IPSP officers involved in the IPS operations: 

a) have their job description formally communicated in writing; and 

b) declare in writing that they have been delivered in writing their job description. 

2) One employee's job descriptions shall specify at least the employee's responsibilities, including those related to 
the information security. 

3) The IPSP management shall appoint to the IPSP mansions only persons that have been evaluated as 
experienced and reliable. 

A.8.2. 2 Information security awareness, education, and training 

Long Term Preservation specific controls: 

1) All officers operating on the IPS shall be formally informed in writing on the security policy and procedures, 
including the ISPD, and shall: 

a) accept in writing the related obligations; 

b) declare in writing their awareness that they would incur in sanctions in case of violation of the security 
policy. 

This procedure should be repeated at least every time that the security policy or the security procedures are changed. 

2) The IPSP shall have in force ad hoc up to date training programs to hone the information security awareness 
and education of officers acting on the IPS. 

NOTE 1 : This training program would include also information on workplace hazards, on safeguards aiming to 
reducing the workers' risks, and on the proper use of these safeguards, including hazardous material 
handling. 

NOTE 2: See also clause A.13.1.1. Reporting information security events items 3 and 5, and clause A. 13. 1.2 
Reporting security weaknesses items 3 and 4. 
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A.8.2.3 Disciplinary process 

Applicable. No further control and/or implementation guidance needed. 

A.8.3 Termination or Change of Employment 
A.8.3.1 Termination responsibilities 

Long Term Preservation specific controls: 

1) Officers acting on the IPS shall formally be made aware that the confidentiality agreement shall be in force 
even after their termination or change of their employment. 

2) [EXT 1.1] Personal Data Preservation Officers acting on IPS preserving personal data shall formally be made 
aware of the legal consequences of not abiding by confidentiality rules regarding sensitive and judicial 
personal data even after termination or change of their employment. 

A.8.3.2 Return of assets 

Applicable. No further control and/or implementation guidance needed. 

A.8.3. 3 Removal of access rights 

Long Term Preservation specific controls: 

1) One officer's access rights to IPSP information shall be removed when this officer leaves his assignment. 

2) The IPSP organisation chart shall be timely updated to reflect one officer's termination from his/her 
assignment and this update shall be timely distributed to all interested officers. 

A.9 Physical and environmental security 

A. 9.1 Secure Areas 

A.9. 1 . 1 Physical security perimeter 

Long Term Preservation specific controls: 

1) The IPSP Computer rooms shall be equipped with safety doors that set off an audible and visible alarm when 
kept open beyond a predefined period of time. 

2) The IPSP shall have in force an auditable procedure to log all events that set off the alarms. 

3) When there is a need to disable the alarm as in the previous items, or to lengthen the trigger interval (e.g. in 
case of transporting material in and out of the room), this shall be done only after specific and traceable 
authorisation by the person in charge of the room security. 

4) All alarm setting off, the severity of which is not immediately and auditably downgraded, shall be dealt with as 
a major security incident requiring a quick and detailed analysis. 
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A.9.1 .2 Physical entry controls 

Long Term Preservation specific controls: 

1) The IPSP shall have in force auditable procedures ensuring that access to the IPSP areas where information is 
processed or stored is controlled and restricted to authorized persons only. 

2) Where IPS components are located in rooms shared with other application systems, auditable procedures shall 
be in force ensuring that access to the IPS components is allowed only to authorised persons. 

3) Visitors shall be allowed to access the IPSP areas where information is processed or stored only under 
supervision by an authorised IPSP officer who shall be responsible for the visitor's acts. 

4) Refer also to clause A.l 1, Access control, as regards physical entry authorisation. 

A.9.1 .3 Securing offices, rooms, and facilities 

Long Term Preservation specific controls: 

1) The IPSP ISPD shall have a section dedicated to a physical security plan, consistent with the outcomes of the 
Risk Assessment that is reviewed and updated by the senior manager in charge of the physical facilities. 

2) An auditable "clean desk policy" shall be enforced requiring all IPSP officers, dealing with confidential 
information including all documents to be submitted to preservation, not to leave such confidential matter in 
the open when they are absent. 

3) The IPSP areas where its processing equipment and the preserved information are stored, shall be equipped 
with security measures that, whenever they must be evacuated in emergency, prevent unauthorised access, yet 
ensuring supervision by authorised persons. 

4) Unattended equipment shall be placed in premises under surveillance and with physical access control 
implemented in order to avoid unauthorised attempts of access such equipment. 

A.9.1 .4 Protecting against external and environmental threats 

Long Term Preservation specific control: 

1) At least the entrance to the IPSP premises should be equipped with riot doors, fire doors, and other doors 

resistant to forcible entry. Deviations to this requirement are acceptable if the IPSP is located inside premises 
that per se provide such protection and if access to the IPSP from within these premises is protected by locked 
doors controlled either with manned reception areas or with electronic means. 

A.9.1 .5 Working in secure areas 

Applicable. No further control and/or implementation guidance needed. 

A.9.1 .6 Public access, delivery, and loading areas 

Long Term Preservation specific control: 

1) The IPSP shall implement requirement in item b) of the corresponding ISO/IEC 27002 [2] clause with 
reference to the parts of the building where the preserved information is processed and kept. 

2) When third party personnel, extraneous to the IPSP activity, is authorised to access IPSP restricted areas, they 
shall not have unmonitored access to IPSP computing and communications equipment. 



£75/ 



41 ETSI TS 1 01 533-1 V1 .1 .1 (201 1 -05) 

A. 9. 2 Equipment Security 

A.9.2.1 Equipment siting and protection 

Long Term Preservation specific controls: 

1) The IPSP processing equipment shall be sited in a way to prevent electromagnetic emissions, produced by this 
equipment, from being captured by unauthorised persons. 

NOTE: This goal can be achieved not only by means of anti-Tempest attack certified technical measures, like, for 
example, shielded rooms or specifically designed processing systems, but also by means of organisational 
measures that prevent Tempest attacks from being performed undetected. 

2) See also clause A.9.1.2, Physical entry controls. 

A.9.2.2 Supporting utilities 

Long Term Preservation specific controls: 

1) In case of external power supply breakdown, an IPSP emergency power supply shall be ensured at least for the 
time required to perform a regular shutdown of the IPS components. 

2) The IPSP shall ensure that also during the IPS components regular shutdown the computer rooms' 
environmental conditions are compatible with the machine and human activities. 

A.9.2.3 Cabling security 

Applicable. No further control and/or implementation guidance needed. 

A.9.2.4 Equipment maintenance 

Applicable. No further control and/or implementation guidance needed. 

A.9.2.5 Security of equipment off-premises 

Applicable. No further control and/or implementation guidance needed. 

A.9.2.6 Secure disposal or re-use of equipment 

Long Term Preservation specific control: 

1) The IPSP shall have an audi table procedure ensuring that when any IPS piece of equipment is disposed of, if it 
is not securely destroyed, all content deemed as confidential by the IPSP, including the preserved information, 
shall be securely deleted, under the responsibility of the equipment owner, by overwriting the original 
information using techniques to make it non-retrievable. See also clause A.7.2.1, Classification guidelines. 

A.9.2.7 Removal of property 

Long Term Preservation specific controls: 

1) The IPSP shall have in force an auditable procedure to promptly inform all interested persons of any changes 
in the authority in charge of permitting off-site removal of assets. 

2) The IPSP should perform the spot checks mentioned in the "Other information" section of the corresponding 
ISO/IEC 27002 [2] clause. 
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A. 10 Communications and operations management 

A. 10.1 Operational procedures and responsibilities 
A. 10. 1.1 Documented operating procedures 

Long Term Preservation specific controls: 

1) The documentation as in clause A.6.1.1, Management commitment to information security item 1) shall 
indicate at least: 

a) The storage logical unit content structure, ensuring a logical separation at least by document owners and 
making possible a separation between document and content types (e.g. based on fiscal requirements, 
where applicable) when required by the document owner or legally needed. 

b) The history of the content of each storage logical unit, specifying who applied what addition, 
modification or deletion, when, upon whose authorisation. 

c) For each storage logical unit, information suitable to identify what back up copies exist and where they 
are located. 

d) What document specifies the indexing and searching mechanism in place for all preserved information. 

e) In what cases a trusted third party (e.g. a Public Officer) must be summoned and what auditable 
procedure must be followed. 

2) If the documentation as per the previous item 1), and in particular the storage logical unit content structure as 
per item b), is not explicitly specified by the applicable legislation, it should be specified in the agreement 
between the IPSP and each document owner. 

3) The IPSP relevant management shall formally sign off the procedures documentation before they are put into 
operation. 

NOTE: As far as documentation related to back-up and disaster recovery/business continuity is concerned, see 
also clauses A. 10.5, Back-up and A. 14, Business continuity management respectively. 

4) The IPSP shall securely keep up to date the documentation of the application procedures in operation, formally 
approved by an appointed manager, to be regularly checked against the procedures actually in operation. Any 
detected mismatch shall be considered, and dealt with as, a security incident. 

A.I 0.1. 2 Change management 

Long Term Preservation specific controls: 

1) Any change to the IPS shall be previously formally authorised by the relevant manager. Where urgent changes, 
due for example to malfunctions, need be applied without delay, the responsible manager shall be informed as 
soon as possible and shall undertake the related action that shall be documented. 

2) Any change to the IPS shall be traced and auditable. 

3) Regular and constant security update, e.g. of anti-malware tools, shall always be implemented as soon as they 
are available without requiring previous authorisation by the relevant manager. Rollback procedures shall be in 
force to be enacted if such updates lead to service disruption. Such cases shall promptly be reported to the 
relevant manager. 



£75/ 



43 ETSI TS 1 01 533-1 VI .1 .1 (201 1 -05) 

A. 10. 1.3 Segregation of duties 

Long Term Preservation specific controls: 

1) Segregation of duties shall be implemented in an auditable way. Organisational solutions shall be adopted to 
work around technical hindrances to implementing the segregation of duties. 

NOTE: Segregation of duties is at least to be applied to System Administrators, System Operators, and Auditors. 

The IPS shall not be operated with System Administrator's privileges. 

A. 10.1 .4 Separation of development, test, and operational facilities 

Long Term Preservation specific controls: 

1) ISO/IEC 27002 [2], clause 10.1.4, Separation of development, test, and operational facilities, item f) is to be 
interpreted with the meaning that sensitive data may be used in a tests environment only if: 

a) the information capable to identify the data subject is either removed or made anonymous; and 

b) the information context is such that the data subject identification is not possible. 

2) The IPSP shall provide evidence that people who have been involved in the development of specifically 
developed software applications have not performed the formal acceptance test of such software in a way to 
affect the test results. 

NOTE: Software developers can be involved in the software acceptance test, but their contribution would be such 
to prevent them from surreptitiously making malfunctions go unnoticed. 

A.I 0.2 Third party service delivery management 

Applicable. No further control and/or implementation guidance needed. 

NOTE: The present clause does not specify methods to manage third parties, since the IPSP will choose what 

better fits its size and complexity. It is however reminded that the IPSP is responsible of the preservation 
service in its whole, including outsourced tasks. 

A. 10.2.1 Service delivery 

Applicable. No further control and/or implementation guidance needed. 

A. 10.2.2 Monitoring and review of third party services 

Long Term Preservation specific controls: 

1) The IPSP shall formally appoint, as responsible for the third parties services, senior managers, supported by an 
adequate staff, who shall comply with provisions in the ISO/IEC 27002 [2] corresponding clause. 

NOTE 1: The term "adequate" refers to both the number of people and their skill. 

2) Where necessary the IPSP may resort to external experts to perform the tasks in the ISO/IEC 27002 [2] 
corresponding clause. 

NOTE 2: One example is when the IPSP lacks the necessary skill to supervise the organisation to which it 
outsources its services. 

NOTE 3: Since the responsibility for the outsourced services remains on the IPSP, this has to verify at least if the 
resorted experts perform their tasks with the due accuracy. 
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A. 10.2.3 Managing changes to third party services 

Long Term Preservation specific controls: 

1) The agreement between the IPSP and the providers (outsoiircers) of services related to its IPS shall specify 
that: 

a) the outsourcers shall timely inform the IPSP, except in cases of demonstrable urgency or emergency, of 
their plans to modify the systems they use to provide the services at issue; 

b) where the above mentioned cases of demonstrable urgency or emergency occur, the outsourcers shall 
immediately inform the IPSP of the applied changes and of the reason why no previous notice had been 
possible; 

c) the IPSP shall timely inform its outsourcers, except in cases of demonstrable urgency or emergency, of 
the need to apply changes to the outsourcers' systems used to provide the services at issue; 

d) all modifications applied and the decision to apply them shall be auditably recorded under the 
responsibility of the IPSP Manager in charge of the system being modified; modifications applied in 
urgency or emergency shall also be auditably recorded as soon as possible. 

2) The timeliness indicated in the previous item 1 letters a. and c, shall be such to allow the respective counter 
parties to assess the planned changes and, possibly, agree on different solutions. 

A. 10.3 System planning and acceptance 
A. 10.3.1 Capacity management 

Applicable. No further control and/or implementation guidance needed. 

A. 10.3.2 System acceptance 

Long Term Preservation specific controls: 

1) Connections between two or more computer systems, even in-house, shall only be established upon 
authorisation by the management in charge for Information Security. See also clause A. 11.4.1, Policy on use 
of network services item 2). 

2) The IPSP management in charge for Information Security shall publish, and regularly keep up to date, security 
requirements related to the IPSP servers, hosts, firewalls, and other multi-user computers configuration. 

3) The configuration of each IPS related system shall be approved beforehand by the management in charge for 
Information Security that shall securely keep the related documentation to periodically verify if these 
configurations have been arbitrarily changed. 

4) IPSP shall have for every software or hardware used an auditable and clearly understandable documentation 
evidencing the approval by the manager in charge in advance of its deployment, having had the agreement by 
the manager in charge for the Information Security. 

5) The Manager's approval of specifically developed software should be based on an auditably traced acceptance 
test (see also clause A. 10.1.4, Separation of development, test, and operational facilities item 3). 

6) The agreement between the IPSP and each outsourcer should require the latter to have in force a formal system 
acceptance procedure as in ISO/IEC 27002 [2] corresponding clause and as in the previous items 1) through 
4). 

7) Exceptions to the provision in the previous item 6 shall be duly and auditably justified by the IPSP. 
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A. 10.4 Protection against malicious and mobile code 
A.1 0.4.1 Controls against malicious code 

Long Term Preservation specific controls: 

1) Whenever an IPS related system is suspected to be infected by a computer malware it shall immediately be 
shut down and disconnected from all networks; the department in charge for Information Security shall be 
notified and it shall immediately take care of the problem. No impromptu attempt to eradicate the malware 
shall be performed by unauthorised personnel. This procedure shall be traced. 

2) All encrypted externally supplied computer readable files, with the exception of those that are to be stored 
encrypted, shall be decrypted and undergo an approved malware checking process before further processing. 
This procedure shall be auditable. 

3) Before any file is restored to a production computer system from backup storage media, it shall be scanned 
with the latest version of the adopted antimalware software. 

4) Malware detection and removal applications shall implement a frequent and possibly automated self-update. 

A. 10.4.2 Controls against mobile code 

Applicable. No further control and/or implementation guidance needed. 

A.I 0.5 Back-up 

A.10.5.1 Information back-up 

Long Term Preservation specific controls: 

1) The IPSP shall ensure that at least some of the backup copies it regularly creates, updates and manages, are 
interoperable, by implementing them: 

a) on media that meet de jure or de facto standard specifications, or are agreed upon with the subscriber; 

b) using data architectures that meet de jure or de facto standard specifications. 

NOTE: The purpose of this requirement is to ensure that, where the IPSP is based on proprietary media, data 
architecture, formats, etc., at least some backup copy can always be restored. 

2) The IPSP shall ensure that the equipment (software and, where necessary, hardware) required to restore the 
backed up information is available, at least for the time the related back up copy is kept, in a version suitable 
to restore such information in a readable way. 

3) In addition to all preserved information, any other asset necessary to ensure the Business Continuity, including 
software applications, operations documentation, etc. shall be backed up. 

4) The back up copies storage locations shall be chosen consistently with the Business Continuity Plan (see 
clause A. 14). 

5) Back up copies shall be periodically checked to ascertain their readability. The interval between two 
subsequent checks should be defined based on the shorter period between what is indicated by the applicable 
legislation and by independent technical reports (provision as per clause 6.4, SS.3.4. Storage media type, 
item 4, applies where applicable). 
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A.1 0.6 Network security management 
A. 10.6.1 Network controls 

Applicable. No further control and/or implementation guidance needed. 

A. 10.6.2 Security of network services 

Long Term Preservation specific control: 

1) The IPS networks shall be separated from the Internet and from any network by firewalls, approved by the 
management in charge of Information Security, that shall run on separate dedicated computers that serve no 
other purpose. 

2) All IPSP operated networks shall be provided at least with Intrusion Detection Systems approved by the 
management in charge of Information Security. 

3) IPSP wireless networks shall be protected through encryption and suitable Authentication and Identification 
mechanisms. 

A.I 0.7 Media liandling 

A.I 0.7.1 IVIanagement of removable media 

New Long Term Preservation specific controls: 

1) The IPSP shall have in force audi table procedures addressing at least the following issues regarding removable 
media: 

a) storage of media upon their delivery by their suppliers; 

b) storage of media upon their delivery by the IPSP customers; 

c) identification and authentication of the persons / roles authorised to withdraw and deposit media from 
and into the various storage sites; 

d) disposal of removable media and the related authorisation; 

e) secure deletion of media content, where applicable, when no more in use for the specific purpose, 
including specification of the deletion mechanisms to be used. 

2) The IPSP shall have in force auditable procedures to be enforced before setting into operations new or reused 
removable media, aiming to prevent spurious information and malware to be injected in the preservation 
process. 

3) The IPSP shall have in force auditable procedures providing for regular inspections on all media in use in 
order to verify their technical readability (see also clauses 6.3.3 and A. 10.5.1. item 5). 

4) If the media manufacturer's specification or independent technical reports indicate for the adopted media a 
reliable lifetime shorter than the legally required inspection interval, the Risk Assessment should take into 
account these reports, in addition to the applicable legislation requirements, to define the interval between 
inspections. The results of these Risk Assessments, including the referred to technical reports, shall be made 
available to the Assessors. 

5) Formal minutes of the above inspections on media readability shall be kept, at least for the time the inspected 
media are in use, under the responsibility of an officially appointed IPSP Manager, to provide a documented 
history of the inspections and of their outcomes. 

6) If early signs of degradation are remarked and if the used media have no self-healing capability such as, for 
example, in the RAID based systems, an auditable data restore procedure shall be performed from back up 
copies onto new media. This ensures that no reading error is propagated. 
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A. 10.7.2 Disposal of media 

Long Term Preservation specific controls: 

1) To implement ISO/IEC 27002 [2] corresponding clause, item a), the IPSP shall adopt mechanisms suitable to 
render unreadable the media being disposed of, among which the following ones: 

a) Securely delete the media content, where applicable (i.e. magnetic media or re-writable optical media), 
by repeated overwriting, on the data to be deleted, as per the applicable standards or public available 
specifications. 

b) Incinerate the media. 

c) Destroy the media in multiple pieces; where the media pieces can be reassembled, pieces shall be 
disposed of separately. 

2) When disposed of, all secret, confidential, or private information in hardcopy (e.g. on paper) shall be shredded 
or, preferably, incinerated. 

3) The media disposal shall be implemented in compliance with specific IPSP auditable procedures. 

A. 10.7.3 Information handling procedures 

Long Term Preservation specific control: 

1) [EXT.l] Persona Data Preservation 

2) When implementing the ISO/IEC 27002 [2] corresponding Clause item a) on labelling media containing 
confidential data, e.g. sensitive or judicial personal data, the IPSP should ensure that the labels make no 
explicit reference to the data themselves nor to their owners ("subjects" in case of personal data), e.g. by 
resorting to coding mechanisms. 

NOTE: The purpose of this requirement is to prevent unauthorised persons, who happen to handle these media, 
from deriving information on the contained confidential data from their labels. 

A. 10.7.4 Security of system documentation 

Long Term Preservation specific controls: 

1) System documentation security shall be dealt with according to the ISPD provisions (see clause A. 5. 1 . 1 . 
Information Security Policy document). 

2) The IPSP shall have in force auditable procedures to manage the system documentation security, addressing, 
among other things: 

a) Assigning to each system documentation component the respective classification level. 

b) Specifying for each classification level the roles authorised to access the classified information. 

c) Reporting security incidents, such as system documentation theft, loss, disclosure to non authorised 
persons, etc. 

d) Action to be taken in the aftermath of a reported security incident. 
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A. 10.8 Exchange of information 

A. 10.8.1 Information exchange policies and procedures 

Long Term Preservation specific control: 

1) With reference to the ISO/IEC 27002 [2] corresponding clause, item g), the IPSP shall encrypt the exchanged 
information using either legally required mechanisms or mechanisms agreed upon with the recipient or 
subscriber. (Refer also to clause A.12.3.1, Policy on the use of cryptographic controls.) 

A. 10.8.2 Exchange agreements 

Long Term Preservation specific control: 

1) The ISO/IEC 27002 [2] corresponding clause 10.8.2, Exchange agreements, item h) shall be interpreted, in 
particular the words "immediately understood" in the light of what is specified at clause A. 10.7.3. Information 
handling procedures item 1 . 

A. 10.8.3 Physical media in transit 

Long Term Preservation specific controls: 

1 ) [EXT 1.1] Personal data preservation: 

Where the IPSP acts as Processor on mandate by one Controller, the ISO/IEC 27002 [2] corresponding 
Clause item a) shall include agreement with, or approval by, the Controller, since the latter is responsible 
for the data handling. 

2) In addition to provisions in the ISO/IEC 27002 [2] corresponding clause, the IPSP shall have in force auditable 
procedures ensuring that confidential information shall be protected from unauthorised access, e.g. by means 
of encryption. 

A. 10.8.4 Electronic messaging 

Long Term Preservation specific control: 

1) Where available. Registered E-Mail like solutions should be enforced and documented, since they ensure 
achievement of items a), b), c), d) of the ISO/IEC 27002 [2] corresponding clause. 

NOTE: TS 102 640 [i.32] provides a Technical Specification for Registered E-Mail. 

A. 10.8.5 Business information systems 

Applicable. No further control and/or implementation guidance needed. 

A.1 0.9 Electronic commerce services 

Not Applicable. 



£75/ 



49 ETSI TS 1 01 533-1 VI .1 .1 (201 1 -05) 

A.10.10Monitoring 
A.10.10.1 Audit logging 

Long Term Preservation specific controls: 

1) The IPSP shall ensure that the IPS Computer systems securely create logs, that shall include all information 
specified in the corresponding ISO/IEC 27002 [2] clause, primarily all significant security relevant events. 

2) The length of time the audit logs are to be kept shall be defined at least on the basis of legal requirements and 
of the agreement with the subscriber, whichever requires a longer period. 

A. 1 0. 1 0.2 Monitoring system use 

Applicable. No further control and/or implementation guidance needed. 

A. 1 0. 1 0.3 Protection of log information 

Long Term Preservation specific controls: 

1) Provisions in the ISO/IEC 27002 [2] corresponding Clause shall be implemented, where applicable resorting 
to cryptographic solutions. 

2) The whole of system logs and application logs shall be replicated or backed up at least daily, to one or more 
machines that are not directly accessible from the Internet. 

3) The IPSP shall keep logs (at least access logs) available for a period of time suitable to allow for exhaustive 
investigation when reviewing the IPSP security policy documentation and in case of security incidents. This 
period of time should in no case be less than one year. 

A. 1 0. 1 0.4 Administrator and operator logs 

Long Term Preservation specific control: 

1) All IPSP officers working on the IPS, including sub-contractors and consultants, shall be notified in writing 
that all operations on the IPS are logged. 

A.10.10.5 Fault logging 

Applicable. No further control and/or implementation guidance needed. 

A. 10. 10.6 Clock synchronization 

Long Term Preservation specific controls: 

1) The IPSP shall have in force an auditable procedure, based the outcomes of the Risk Assessment, ensuring that 
all the applied time references, in relation to the IPS, are reliably fetched from a trusted UTC time source and 
maintained unaltered throughout the entire IPS. 

2) All IPSP time references shall be UTC based, e.g. "UTC+1, "UTC+2", etc., to make it possible to reconcile all 
of them to a consistent chronology. 

3) The IPSP shall ensure that all logging records express the time in a unique manner, even when the IPSP 
systems are located in different time zones. 

NOTE: This can be achieved either by synchronising all IPS related systems on the same time zone or by 
explicitly stating the systems time through UTC based notation (e.g. "UTC -6"). 
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A. 11 Access control 

A.1 1 .1 Business requirement for access control 
A. 11 .1 .1 Access control policy 

Long Term Preservation specific controls: 

1) The IPSP Access control policy shall take into account all IPS related procedures and facilities, even those 
governed by other departments insisting on the IPS functions, to ensure absence of conflict on requirements on 
confidentiality and on segregation of roles. 

2) The IPSP access policy shall differentiate the access rights of the various user types. At least the following 
different user access rights classes shall be defined: 

a) IPS operators; 

b) IPS system administrators; 

c) Information owners; 

d) Auditors; 

e) Third parties, e.g. authorities. 

Namely: 

i. IPS operators shall be enabled to perform operations on the IPS and shall not be able to set or modify the 
configuration of the IPS systems they operate on; 

ii. IPS system administrator shall have the authority to set or modify the IPS systems configurations, but 
shall not have the right to act as operators on the same systems the configurations of which they set or 
modify; 

iii. Auditors shall have "read only" rights on the IPS; 

iv. Information owners should only be able to access their own documents in "read only" mode; 

NOTE 1 : All requests for changes to the preserved information would be submitted by the information owners 
through the agreed upon procedures. 

V. Third parties shall be able to only read the documents they have the authorisation to. 

EXAMPLE: A customs officer would not Ukely have the authorisation to access health records. 

1) Installation and use on the IPS of any code that circumvents the authorized access control mechanisms in 
operating systems or access control packages should be forbidden. 

2) The provision in the previous item 4 may be derogated in compliance with provisions in clause A. 13.2.1 
Responsibilities and procedures, item 5. 

3) The IPSP shall assess and identify accesses that need to be protected against duress. 

NOTE 2: A duress protection can be implemented, for example, by providing users with "duress passwords" to be 
employed to covertly signal that this user is being pressured to logon. 
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A.1 1 .2 User access management 
A. 11. 2.1 User registration 

Long Term Preservation specific controls: 

1) The IPSP shall implement provisions in item a) of the ISO/IEC 27002 [2] corresponding clause at least 
referred to IPS operators and IPS system administrators. 

2) The IPSP shall implement provisions in items d), e), f) g) h), of the ISO/IEC 27002 [2] corresponding clause. 

A.1 1.2.2 Privilege management 

Applicable. No further control and/or implementation guidance needed. 

A.1 1 .2.3 User password management 

Long Term Preservation specific controls: 

NOTE 1: A user is anyone who is lawfully entitled to access the IPSP system (e.g. employees, third parties under 
contractual agreements, authorities, auditors, etc.). 

1) IPS user authentication shall be designed to default to denial of privileges to end users in case of access control 
system malfunction. Specifically appointed System Administrators shall be designated to fix the 
malfunctioning user authentication system. 

2) After a predefined number of unsuccessful logon attempts by one user, access to the system at issue shall be 
locked for that user, and, where applicable, shall be unlocked only by an authorised person. All this process 
shall be auditably logged. 

NOTE 2: By "system" it is intended any information processing hardware or software equipment: computer, 
network, processing application, smart card, etc. 

3) Under each unsuccessful access attempt no information should be fed back that can help the user identify what 
data was wrong. 

4) The IPSP Information Security management shall have unambiguous, organized, and current records of all 
access privileges. 

5) Vendor supplied and application default passwords shall be changed after their first use. 

6) The display and, where applicable, printing of passwords shall not be in clear. 

7) Each password generated by systems to be securely conveyed to an end user, shall be unique; their generation 
should be based on random values, complying with de jure or de facto standard specifications 

NOTE 3: Some random number generators are: ANSI X9.17 [i.33], FIPS SP 800-90 [i.36]. 

8) All computer storage media and computer memory areas used in the construction, assignment, distribution, 
verification or encryption of passwords or PIN, should be securely deleted, preferably using mechanism based 
on de jure or de fact standard specifications. 

NOTE 4: Deviations to the previous provision are possible only where passwords and/or PINs are of "one time" 

type, or when the centrally generated password or PIN is to be changed by the user after its first usage and 
the involved application provides reset measures in case of undue intrusion, etc. 

9) Users shall accept an obligation that they shall immediately change their passwords, whenever there is the 
certainty, or even a reasonable doubt, that they have been compromised, and that they shall immediately report 
the incident. 

10) When contact centres are deployed as an emergency interface between users and applications the contact 
centre employee shall have not the possibility to abuse the password/PIN. 
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A. 11 .2.4 Review of user access rights 

Long Term Preservation specific controls: 

1) In addition to provisions in items a), b), c) of the ISO/IEC 27002 [2] corresponding clause, the IPSP shall 
review users' access rights whenever a security incident occurs that can be referred to access abuse or access 
control malfunction. 

2) Access rights shall be revoked if not used for a predefined time period that will depend on the confidentiality 
of the information accessed by the users. 

3) The time period addressed in item a) of the ISO/IEC 27002 [2] corresponding clause shall in no case be shorter 
than what is required by the applicable legislation. 



A.1 1 .3 User responsibilities 



A.1 1.3.1 Password use 

Long Term Preservation specific controls: 

1) In addition to provisions in item d) of the ISO/IEC 27002 [2] corresponding clause, the IPSP should set: 

a) automated password validity checks when the users create their own passwords to verify that user built 
passwords are not identical or substantially similar to previous passwords used for the same application, 
system or network and that the user chosen passwords meet precise security requirements; 

NOTE 1 : Examples of these security requirements are: minimum length, used character types, character repetition, 
being substantially different from the previous ones, etc. 

b) automated password change request when a predefined time lapse has expired or is about to expire. 

2) Where required (refer to clause A. 10. 1 .3, Segregation of duties), the minimum password or PIN length shall be 
such to make it possible to divide it in two or more parts to be assigned each to a different operator. 

3) Users shall be made aware of the rules as in the previous items of this clause. 

4) Users shall accept in writing that they shall not use the same password on multiple computer systems unless 
authorised by the relevant manager. 

NOTE 2: This provision aims to prevent that the disclosure of one user's password related to one system also 
affects the security of other systems. 

A.1 1 .3.2 Unattended user equipment 

Applicable. No further control and/or implementation guidance needed. 

A.1 1 .3.3 Clear desk and clear screen policy 

Long Term Preservation specific controls: 

1) The IPSP shall enforce an auditable clear desk and clear screen policy by means of regular and impromptu 
inspections performed by the responsible managers and/or by specific officers. The outcome of these 
inspections shall be reported at least up to the Information Security managers. 

2) The IPSP Employees shall be made aware that they will incur in disciplinary sanctions in case of violation of 
the clear desk and clear screen policy. 
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A. 11. 4 Network access control 

A. 11 .4.1 Policy on use of network services 

Long Term Preservation specific controls: 

1) Within the provision b) of the ISO/IEC 27002 [2] corresponding Clause the IPSP shall appoint a very small 
number of trustable officers, sufficient to ensure the operations continuity in case of disaster, authorised to 
access the IPSP network services used to create and maintain backup copies of the preserved documents (see 
also clause A. 14. 1.4.). 

2) Access by any IPS computer to any network shall be explicitly approved in an auditable way by the relevant 
manager. 

3) Connections of IPSP networks to any other computer or network shall be explicitly authorised in an auditable 
way by the relevant manager. 

4) The IPSP networks shall always be protected by firewalls. Intrusion Detection Systems, etc., unless explicitly 
and auditably authorised by the IPSP relevant management. 

A.1 1 .4.2 User authentication for external connections 

Long Term Preservation specific controls: 

1) When user authentication to networks and network connected equipment is password based, they shall abide 
by provisions in clause A. 1 1.3.1, Password use. 

2) User authentication to networks and network connected equipment should be implemented by means of 
two-factor authentication mechanisms, or similarly reliable mechanisms, at least when sensitive information 
are dealt with. 

3) Any connection conveying authentication information shall be protected as specified in clause A. 10.6.1, 
Network controls. 

A.1 1.4.3 Equipment identification in networks 

Long Term Preservation specific control: 

1) Provisions in the ISO/IEC 27002 [2] corresponding Clause apply in particular to IPSP equipments that 

automatically connect to networks to create channels along which backup copies are transmitted to remote 
locations, as in the case of mirroring mechanisms. These channels shall be encrypted. 

A.1 1 .4.4 Remote diagnostic and configuration port protection 

Applicable. No further control and/or implementation guidance needed. 

A.1 1.4.5 Segregation in networks 

Long Term Preservation specific control: 

1) The IPSP shall evaluate if the IPS related network is to be segregated from other networks, on the basis of the 
preserved information confidentiality level. If the IPSP decision is not to segregate, such decision shall be 
clearly and auditably recorded. 

A.1 1 .4.6 Network connection control 

Applicable. No further control and/or implementation guidance needed. 
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A. 11 .4.7 Network routing control 

Applicable. No further control and/or implementation guidance needed. 

A. 11 .5 Operating system access control 
A.1 1 .5.1 Secure log-on procedures 

Long Term Preservation specific control: 

1) After a predefined number of unsuccessful logon attempts by one user, the same security measures shall be 
implemented as in clause A. 11. 2. 3, User password management item 2). 

A.1 1 .5.2 User identification and authentication 

Applicable. No further control and/or implementation guidance needed. 

A.1 1 .5.3 Password management system 

Long Term Preservation specific control: 

1) Passwords shall not be hard coded into software specifically developed or modified for the IPSP. 

A.1 1 .5.4 Use of system utilities 

Long Term Preservation specific controls: 

1) Access to systems software utilities shall be restricted to a small number of trusted and authorized users. 

2) Systems software utilities execution shall be auditable. 

A.1 1 .5.5 Session time-out 

Long Term Preservation specific control: 

See also clause A. 11. 3. 2, Unattended user equipment. 

1) The IPSP shall assess in what cases "clearing the screen and preventing unauthorized access" after a defined 
period of inactivity is deemed as not enough secure, thus requiring enforcement of the requirement "close both 
application and network sessions", as in the ISO/IEC 27002 [2] corresponding clause. 

A.1 1 .5.6 Limitation of connection time 

Applicable. No further control and/or implementation guidance needed. 

NOTE: The provisions in the ISO/IEC 27002 [2] corresponding Clause can be applicable if the IPSP customers 
submit the information to be preserved via connections on open network (i.e. the internet) triggered from 
their own premises over which the IPSP has no direct control, however suitable obligations on the 
customers can relax the related measures. 
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A. 11 .6 Application and information access control 
A. 11 .6.1 Information access restriction 

Long Term Preservation specific controls: 

1) Access to systems logs or application audit trails shall be limited to the personnel with an actual need to know. 

2) User privileges shall be carefully defined so that users can only gain access to preserved information for which 
they have an actual need to know. 

3) Administrators of one system should not gain access to the information preserved in the same system. One 
acceptable derogation to this requirement may be a system administrator's intervention to remove malfunctions 
locking some preserved information, but in this case the system administrator's operations shall be supervised 
by the operator responsible for the information at issue, to prevent abuse on such information. 

NOTE: Particular care is to be placed in assigning the rights as in item b) of the ISO/IEC 27002 [2] corresponding 
clause ("read, write, delete, and execute"), since the operation of deleting preserved information is to be 
performed by responsible officers. 

A.1 1 .6.2 Sensitive system isolation 

Long Term Preservation specific control: 

1) The IPS components should be dedicated to this application and isolated from other environments. 

A.1 1 .7 Mobile computing and teleworking 
A.1 1 .7.1 Mobile computing and communications 

Long Term Preservation specific control: 

1) The IPSP should not allow for mobile devices to be used in connection with its IPS. 

NOTE: The IPSP activity does not usually require operations on the IPS to be performed from mobile devices. 

A.1 1.7.2 Teleworking 

Long Term Preservation specific control: 

1) The IPSP should not allow for teleworking to be used on its IPS processing systems. If, for very peculiar 
reasons, it is implemented, the security measures specified in the ISO/IEC 27002 [2] corresponding clause 
shall all be enacted. 

NOTE: The IPSP activity does not usually require operations on the IPS to be performed in teleworking, with the 
exception of security tests, like penetration tests on its networks, and the related audit activities. 
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A.12 Information systems acquisition, development and 
maintenance 

A. 12.1 Security requirements of information systems 
A. 12. 1.1 Security requirements analysis and specification 

Long Term Preservation specific controls: 

1) When an IPSP sets in operation a Commercial Off The Shelf (COTS) or a specifically developed IPS 
component, the technical specifications implemented by the purchased or developed system must include 
requirements for security controls, specifying which controls can be performed automatically and incorporated 
in the information system. 

2) When IPS software packages or systems are not independently evaluated or certified, they shall go through a 
formal acceptance test, as part of the development or acquisition processes, to grant fulfilment of the security 
requirements. 

A.I 2.2 Correct processing in applications 
A. 1 2.2. 1 Input data validation 

Long Term Preservation specific controls: 

1) The IPSP applications implementing the preservation service shall auditably track all documents submitted 
and shall associate each of them to a meaningful state (e.g. accepted, rejected, in process, preserved). 

2) The IPSP shall implement auditable controls to prevent personnel from, unintentionally or without due 
authorisation, adding, modifying and deleting files or information. 

3) When the information to be preserved is electronically transmitted by the subscriber to the IPSP, mechanisms 
shall be auditably enforced to verify that the information has been received without any alteration. This 
mechanism shall be specified in the agreement with the subscriber. 

NOTE: For EXTENDED controls see clause 6.L5, SS.3.5. Documents Format. 

4) [EXTl] - Input document signature verification: 

The IPSP shall verify at the time of submission (or at any other time specified in the agreement in force), 
the validity of any AdES applied to the information submitted for preservation. The agreement with the 
subscriber should stipulate if documents, that the IPSP reports to the subscriber as faulty, are not to be 
preserved as delivered by the subscriber. 

A. 12.2.2 Control of internal processing 

Long Term Preservation specific controls: 

1) The IPSP shall identify which officers have the authorisation to add, modify, and delete information for each 
subscriber and, possibly, for each information type. 

2) The IPSP shall implement auditable procedures to verify the integrity of each processed information 
throughout the entire preservation process. 

NOTE: This can be achieved, for example, by comparing, at least at each key process step up to the final storage 
on the preservation media, the information digest with the one computed as soon as the information was 
received and by eventually implementing the Closure Evidence. 
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3) The IPSP shall verify and auditably report, at least at each key process step, that no information has been 
dropped by the process step. 

A. 12.2.3 Message integrity 

Applicable. No further control and/or implementation guidance needed. 

A. 12.2.4 Output data validation 

Applicable. No further control and/or implementation guidance needed. 

A.I 2.3 Cryptograpiiic controls 

A. 12.3.1 Policy on the use of cryptographic controls 

Long Term Preservation specific controls: 

1) The IPSP should make use of cryptographic algorithms generally recognised by de jure or de facto technical 
standards as suitable to withstand attacks at least for the period of time the preserved information is required to 
be kept, where feasible. 

NOTE 1: Some of the mentioned de jure or de facto technical standards are TS 102 176 [i.34] and FIPS 197 [i.21]. 

2) The IPSP should monitor cryptographic advances and, as soon as such advances provide evidence that this is 
necessary, update the algorithms and / or methods it makes use of. 

NOTE 2: Apart from cryptographic mechanisms, other ones e.g. legal, organizational methods, can also be used for 
proving that a certain document existed at a certain point of time. 

3) Exceptions to the previous items may depend on: 

a) adoption of organisational measures (e.g. preservation by trusted entities like public officers) that ensure 
security even beyond the presumed cryptography resilience threshold; 

b) legal provisions requiring specific cryptographic solutions. 

4) [EXTl] - Preserving encrypted information, by force of legal or service agreement. 

When the preserved information is encrypted: 

a) [EXTl. 2] The IPSP shall have in place suitable controls to verify that no document related data is 
preserved in clear, other than the agreed metadata required, e.g. for document retrieval. 

b) [EXT 1.4] The IPSP shall ensure the possibility to decrypt the encrypted information upon request 
by an authorised entity, e.g. the information owner, a Public Authority, etc. Dual control should be 
enforced by technical or organisational means. 

c) [EXTl .3] in case of encryption key compromise and/or unavailability refer to clause A. 12.3.2, Key 
management item 5. 

A. 12.3.2 Key management 

Long Term Preservation specific controls: 

1) Any IPSP key management activity shall be auditably logged. 

2) Where encryption algorithms are used the IPSP shall have in place auditable emergency procedures suitable to 
ensure the key recovery in case of loss or corruption of the key or unavailability of the personnel appointed to 
perform the ordinary procedures. Invocation of the emergency procedure shall be up to the relevant manager. 
Dual control should be enforced by technical or organisational means. 
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3) In case of derogation from the above provision an exhaustive description of why it was violated shall be 
reported to the relevant manager. 

4) Where encryption algorithms are used, in case of compromise, or in case of reasonable doubt of compromise, 
of the decryption key, or in case the encryption algorithm is known as broken or seriously weakened, 
emergency and auditable procedures shall be invoked by the relevant manager to encrypt the affected 
information with a different key or algorithm. Dual control should be auditably enforced by technical or 
organisational means. 

5) In case of derogation from the above provision an exhaustive description of why it was violated shall be 
reported to the relevant manager. 

A. 12.4 Security of system files 
A. 12.4.1 Control of operational software 

Long Term Preservation specific controls: 

1) The IPSP shall put in operation new and updated applications and operating system software only upon 
sign-off by the relevant management that formally approves the outcomes of auditably performed extensive 
acceptance tests evidencing that the testing was successful. 

2) Compilers or development tools shall not be permanently installed in the IPSP production environment, 
i.e. only executable code shall be permanently installed in this environment. 

A.I 2.4.2 Protection of system test data 

Long Term Preservation specific control: 

1) Provisions in the ISO/IEC 27002 [2] corresponding clause, items b) and c) may be softened to allow the IPSP 
to keep operational information copied in the testing environment if anonymized. 

A. 12.4.3 Access control to program source code 

Applicable. No further control and/or implementation guidance needed. 

A.I 2.5 Security in development and support processes 
A. 12.5.1 Change control procedures 

Long Term Preservation specific control: 

1) The IPSP shall test all system changes, prior to putting them into operation, in a segregated test environment, 
that should not be used for development purposes. See also clause A. 12.4.1, Control of operational software 
item 1). Any deviation to this segregation shall be accompanied by measures ensuring that activities performed 
in the development environment shall not modify the predefined test base in a permanent way. 

A. 12.5.2 Technical review of applications after operating system changes 

Long Term Preservation specific control: 

1) The IPSP should make use of operating systems that permit unwanted or unneeded functionality to be 
completely removed (hardening). Where applicable the "hardening" should be performed after every 
significant operating system update. 
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A. 12.5.3 Restrictions on cinanges to software pacl^ages 

Long Term Preservation specific control: 

1) The IPSP shall bind by agreement every third -party supplying software packages to deliver them free of 
mechanisms that could be triggered by the supplier or by the software application itself without the IPSP 
consent. 

A. 12.5.4 Information leakage 

Applicable. No further control and/or implementation guidance needed. 

A. 12.5.5 Outsourced software development 

Applicable. No further control and/or implementation guidance needed. 

NOTE: Provisions at clause A. 12.4.1, Control of operational software item 1 also apply. 

A.I 2.6 Technical Vulnerability Management 
A.I 2.6.1 Control of technical vulnerabilities 

Long Term Preservation specific control: 

1) Members of the IPSP teams specified in clause A. 5. 1.2, Review of the information security policy item 1) 
shall keep them up to date with news on security, related not only to the core IPS applications, but also to the 
ancillary services. 

A. 13 Information security incident management 

A.I 3.1 Reporting Information Security Events and Weaknesses 
A.I 3.1 .1 Reporting information security events 

Long Term Preservation specific controls: 

1) The IPSP shall draft and timely keep up to date clearly understandable instructions on how to report any 
information security related event the soonest possible upon detection. This information shall be made 
available to the authorised persons and may be available to them also online to make them able to access it 
anytime anywhere. Parts of this information that are deemed sensitive for the IPSP security shall be 
consistently classified and the online access to these parts shall be only allowed upon authentication. 

2) The IPSP shall have an auditable procedure indicating how to classify the incidents severity. 

3) All officers operating on the IPS shall be formally made aware of their responsibility, and of the existence of 
sanctions in case of default, to report without undue delay any information security related event, conflicting 
with the Security Policy in force, in compliance with the applicable instructions as in the previous items 1) and 
2). 

4) All officers operating on the IPS shall declare in writing that they have received the instructions as in the 
previous item 1 . Where applicable, it shall be specified which parts of such instructions are confidential. 

5) Disclosures to non authorised persons and entities on information security related events shall not be released 
unless upon formal authorisation by the IPSP management. 
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6) Where IPSP sub-contractors are involved, the instructions as in the previous item 1 shall be delivered to each 
sub-contractor's official representative, who in turn shall deliver them to the sub-contractor's employees who 
operate on the IPS related activities who shall accept them in writing. 

A. 13. 1.2 Reporting security weaknesses 

Long Term Preservation specific controls: 

1) The IPSP shall draft and timely keep up to date clearly understandable instructions on how to report any 
security weakness the soonest possible upon detection. This information shall be made available to the 
authorised persons by any means (e.g. on paper, electronically, etc.). Parts of this information that are deemed 
sensitive for the IPSP security shall be classified consistently and access online to these parts shall be allowed 
upon authentication. 

2) The IPSP shall specify how to classify the security weaknesses severity. 

3) All officers operating on the IPS shall be formally made aware of their responsibility and of the existence of 
sanctions in case of default, to report without undue delay any security weakness, conflicting with the Security 
Policy in force, in compliance with the applicable instructions as in the previous items 1) and 2). 

4) All officers operating on the IPS shall declare in writing that they have received the instructions as in the 
previous item 1 . Where applicable, it shall be specified which parts of such instructions are confidential. 

5) Disclosures to non authorised persons and entities on security weakness events shall not be released unless 
upon formal authorisation by the IPSP management. 

6) Where IPSP sub-contractors are involved, the instructions as in the previous item 1 shall be delivered by the 
relevant IPSP manager to each sub-contractor's formal representative, who in turn shall deliver them to each 
employee, operating on the IPS related activities, who shall accept them in writing. 

A.I 3.2 Management of Information Security Incidents and 
Improvements 

A.I 3.2.1 Responsibilities and procedures 

Long Term Preservation specific controls: 

1) The IPSP shall have in force audi table procedures ensuring that, upon reporting on security incidents and/or 
security weaknesses, a response team will take over the management of the incident and/or weakness with 
timeliness consistent with the incident/weakness severity level (see clauses A. 13. 1.1, Reporting information 
security events item 2) and A. 13. 1.2, Reporting security weaknesses item 2)). 

2) All involved IPSP personnel and sub -contractors shall be formally made aware of the existence and purpose of 
the team as in the previous item 1 . Where sub-contractors are involved, this information shall be formally 
delivered to each sub-contractor's formal representative, who in turn shall deliver it to each employee who 
operates on the IPS related activities who shall accept it in writing. 

3) The IPSP shall appoint in writing the persons responsible to handle the reported security incidents and 
weaknesses. The IPSP shall provide the appointed persons with detailed instructions on how to handle the 
reported security incidents and weaknesses (see clauses A.13.L1, Reporting information security events and 
A.13.1.2, Reporting security weaknesses), consistently with provisions in ISO/IEC 27002 [2] corresponding 
Clause, and on the possible related sanctions. All involved persons, IPSP employees, sub -contractors 
employees and third parties, shall be made aware of who is in charge of these responsibilities. Officers and 
subcontractors shall exchange information on the security related events only with members of the response 
team, unless otherwise authorised by the relevant management. 

4) IPSP employees in charge of managing reported incidents and weaknesses shall accept in writing the 
notification of their responsibility. 
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5) Actions taken in emergency cases suitable to affect the IPS security level shall be enacted under strict control 
of a duly authorised manager who shall be responsible for restoring the IPS to its pristine status after the 
emergency phase has been overcome. All phases related to the emergency shall be auditably recorded, 
specifying also the time each single record refers to, under the responsibility of the said manager. In particular: 

a) the emergency state shall exhaustively be described; 

b) all actions performed during the entire emergency phase shall be recorded; 

c) the conditions under which the emergency was deemed as closed shall be described; 

d) the time of restoring to the IPS pristine status shall be recorded. 

A. 13.2.2 Learning from information security incidents 

Long Term Preservation specific controls: 

1) The records of all detected security incidents and weaknesses shall report information suitable to be taken in 
consideration in the next Risk Assessment and Information Security Policy Document review sessions, to be 
performed according to the planned schedule or extemporaneously depending on the events severity. 

2) The IPSP shall specify upon the occurrence of what severity level of incident or security weakness a review of 
the Risk Assessment and/or the ISPD shall be performed extemporaneously. 

A. 13.2.3 Collection of evidence 

Applicable. No further control and/or implementation guidance needed. 

A. 14 Business continuity management 

A. 14.1 Information security aspects of business continuity 
management 

A. 14. 1.1 Including information security in the business continuity 
management process 

Long Term Preservation specific control: 

1) Depending on the IPSP services, the Business Continuity Plan shall be designed to make the IPSP capable to 
resume its activities without generating unacceptable delay, mainly to its trading partners and relevant 
Authorities, in abidance by the agreements in force and the applicable legislation requirements, yet meeting 
the security requirements. 

NOTE 1: Refer also to clause A.7. LI, Inventory of assets, item 5). 

NOTE 2: In order to ensure timely operation resumption the BCP can deliberately not envisage resuming some 
lower criticality operations. 

NOTE 3: A reference to drafting the BCP can be the BS 25999-1 [i. 1]. 
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A.14.1 .2 Business continuity and nsW assessment 

Long Term Preservation specific controls: 

1) Identification of and protection from risks affecting the personnel safety shall have the highest priority. 

2) Each Risk Assessment Session shall include a service discontinuity Impact Analysis on the IPS components. 
The Business Continuity Plan shall be designed and reviewed based on the outcomes of this Impact Analysis 
according to commonly accepted specifications, such as de iure or de facto standards. 

NOTE 1: A possible reference to drafting the BCP can be the BS 25999-1 [i.l]. 

3) The IPS components should be assigned a scale of criticality level. 

NOTE 2: One possible scale can be the following: highly critical, critical, priority, required, deferrable. 

4) The maximum down-time shall be defined for at least the key IPSP services and processes, among which: 

a) document acquisition; 

b) document preservation process; 

c) document exhibition. 

5) The business continuity strategy shall have among its goals ensuring that the maximum down-time identified 
in the previous item 4 is not exceeded. 

A.14.1. 3 Developing and implementing continuity plans including information 
security 

Long Term Preservation specific control: 

I) The "identification of the acceptable loss of information and services" (letter b) of the ISO/IEC 27002 [2], 
clause of reference) shall be performed against all types of handled documents. 

A.14.1 .4 Business continuity planning framework 

Long Term Preservation specific controls: 

1) The IPSP BCP shall specify which officers and in which cases shall invoke the IPS related BCP, in part or in 
its whole. 

2) The BCP shall ensure that a team of properly skilled operators ("Disaster Recovery Team") is regularly 
available in order to resume the operations at the disaster recovery, or back up, site with a timing that matches 
the timeliness identified in clause A. 14. 1 .2, Business Continuity and risk assessment, in particular at item 4. 

3) When members of the Disaster Recovery Team are employees of external service providers, an arrangement 
with these service providers shall be in force binding them to comply with the applicable BCP provisions, 
including provisions in the previous item 2. 

4) The disaster recovery / back up - site must be under the control: 

[CHOICE] 

a) of the IPSP itself; 

b) of a Service Provider whose reliability is regularly either directly ascertained by the IPSP or 
assessed as reliable by a trusted third party. 

5) The IPSP shall oblige external organisations that provide services to the IPSP BCP -through an agreement that 
contain also adequate sanctions- to meet the BCP requirements, including provisions in the previous items. 
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A. 14. 1.5 Testing, maintaining and re-assessing business continuity plans 

Long Term Preservation specific controls: 

1) The IPSP shall plan for regular test sessions at least of the following items of ISO/IEC 27002 [2], 
clause 14.1.5: 

"c) technical recovery testing (ensuring information systems can be restored effectively); 

d) testing recovery at an alternate site (running business processes in parallel with recovery operations 
away from the main site); 

e) tests of supplier facilities and services (ensuring externally provided services and products will meet 
the contracted commitment); 

f) complete rehearsals (testing that the organization, personnel, equipment, facilities, and processes can 
cope with interruptions)". 

2) The BCP complete rehearsal (see item f) of the ISO/IEC 27002 [2], clause 14.1.5) shall be performed at least 
within a short time after the IPS BCP is first set up, every time it is significantly changed and when established 
in the Security Policy/BCP. 

3) The IPSP shall oblige through agreement its Service Providers to participate to the BCP complete or partial 
tests and rehearsals. 

4) The IPSP shall oblige through agreement its Service Providers (see also clause A. 10.2.3, Managing changes to 
third party services): 

a) to timely communicate to the IPSP any significant modification to their systems involved in the BCP that 
might affect the recovery, and 

b) to implement such modifications only upon formal acceptance by the IPSP, with the exception of 
emergency cases that shall be properly documented by the Service Providers. 

5) The IPSP shall perform at least yearly inspections on its service providers' locations to ascertain that their 
systems that provide BCP related services to the IPSP have not been changed without the IPSP being notified 
or that emergency modifications have a sound explanation. 



A.15 Compliance 

A.I 5.1 Compliance with legal requirements 
A. 15. 1.1 Identification of applicable legislation 

Long Term Preservation specific control: 

1) The IPSP shall also satisfy provisions in ISO/IEC 15489:2001 [i.l7], part 1, chapter 5. 

NOTE: It is to be remarked that items c) ("voluntary codes of best practice") and d) ("voluntary codes of conduct 
and ethics") of this ISO/IEC 15489 [i.l7], chapter 5 perfectly match Directive 2006/123/EC [i.25], article 
26 (item 1, letter b.): "drawing up their own quality charter or participation in quality charters or labels 
drawn up by professional bodies at Community level". 

A. 15. 1.2 Intellectual property rights (IPR) 

Long Term Preservation specific controls: 

1) All IPSP licensed hardware and software products in use at the IPSP's shall be registered before being 
activated. 
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2) If the owner of IPR on a specific software waivers its own rights, documentation of this waiver shall be kept 
along with the evidence of ownership of licenses. 

A. 15. 1.3 Protection of organizational records 

New Long Term Preservation specific control: 

1) The IPS? should comply with relevant provisions set by ISO/IEC 15489 [i.l7], for example in chapter 7 
"Records Management Requirements". 

A. 15.1 .4 Data protection and privacy of personal information 

Applicable. No further control and/or implementation guidance needed. 

A. 15.1 .5 Prevention of misuse of information processing facilities 

Applicable. No further control and/or implementation guidance needed. 

A. 15.1 .6 Regulation of cryptographic controls 

Applicable. No further control and/or implementation guidance needed. 

A.I 5.2 Compliance with security policies and standards and 
technical compliance 

A. 15.2.1 Compliance with security policies and standards 

Long Term Preservation specific controls: 

1) The IPSP shall have in force an auditable procedure requiring all managers, at any level, to perform, preferably 
in an unscheduled way, reviews on their respective departments to ascertain compliance with the rules. 

2) The IPSP shall make known to all persons working on, and/or for, the IPS, the consequences of non 
compliance. 

A. 15.2.2 Technical compliance checking 

Long Term Preservation specific control: 

1) The IPSP shall regularly implement checks for compliance with security implementation standards as per the 
ISO/IEC 27002 [2] corresponding clause. 

2) If the IPSP resorts to external providers it shall state in the agreement with the providers the mutual obligations 
and responsibility as well as the scope of the testing (e.g. penetration tests or vulnerability assessments). 

3) The IPSP should comply with ISO/IEC 20000 [i. 18] or adopt an equivalent methodology to assure a periodical 
review and assessment of the operations. 

A.I 5.3 Information System Audit Consideration 
A.I 5.3.1 Information systems audit controls 

Applicable. No further control and/or implementation guidance needed. 
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A. 15.3.2 Protection of information systems audit tools 

Long Term Preservation specific control: 

1) The IPSP shall have audi table security procedures to ensure that software and hardware tools used by internal 
and, where applicable, external auditors are protected from unauthorised access and usage and that they are 
removed from the IPS when not used in assessment sessions. 
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Annex B (informative): 

Statement of Applicability Framework 

An IPSP, as specified in clause 4.3 will draft a Statement of Applicability where it will specify the provisions specified 
in the present document that it will abide by and those that are not applicable. In this later case, the exclusion shall be 
justified and document in writing. 



SAMPLE 

Information Preservation Service Provider XXXX: Statement of Applicability 



Date: DD/MM/YYYY 



Provisions in "ETSI TS [this document] including Annex A" 



Clause # 


Control 
(Item Number) 


Type of provision (mandatory, 
optional, recommended, 


Applicable/Not 
applicable 


Rationale (when not 
applicable) 











































Provisions in "Other P.A.S." 



Clause # 


Control 
(Item Number) 


Rationale for inclusion 


Notes 


(LR, CO, RA) 


Reference 




n..n 


Item X) Nth bullet 
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